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FOREWORD 


I  am  pleased  to  promulgate  this  inaugural  edition  of  the  Supplement  to  the  National  Industrial 
Security  Program  Operating  Manual  (NISPOMSUP).  It  provides  the  enhanced  security  require¬ 
ments,  procedures,  and  options  to  the  National  Industrial  Security  Program  Operating  Manual 
(NISPOM)  for: 

Critical  Restricted  Data  (RD)  classified  at  the  Secret  and  Top  Secret  levels; 

Special  Access  Programs  (SAPs)  and  SAP-type  compartmented  efforts  established  and 
approved  by  the  Executive  Branch; 

Sensitive  Compartmented  Information  (SCI)  or  other  DCI  SAP-type  compartmented  pro¬ 
grams  under  the  Director  of  Central  Intelligence  which  protect  intelligence  sources  and 
methods;  and 

Acquisition,  Intelligence,  and  Operations  and  Support  SAPs. 

This  Supplement  is  applicable  to  contractor  facilities  located  within  the  United  States,  its  Trust 
Territories  and  Possessions.  In  cases  of  inconsistencies  between  the  NISPOM  (baseline)  and  this 
Supplement  as  imposed  by  a  Cognizant  Security  Agency  (CSA),  as  defined  herein,  the  Supple¬ 
ment  will  take  precedence. 

The  NISPOM  Supplement  has  been  written  as  a  menu  of  options.  Throughout  this  NISPOMSUP 
it  is  understood  that  whenever  a  security  option  is  specified  for  a  SAP  by  the  Government  Pro¬ 
gram  Security  Officer  (PSO),  his  or  her  authority  is  strictly  based  on  the  security  menu  of  options 
originally  approved  in  writing  by  the  CSA,  or  designee.  CSAs  may  delegate  such  responsibility 
for  the  implementation  of  SAP  security  policies  and  procedures.  Since  SAPs  have  varying 
degrees  of  security  based  on  sensitivity  and  threat,  all  programs  may  not  have  the  same  require¬ 
ments.  When  a  security  option  is  selected  as  a  contract  requirement,  it  becomes  a  “shall”  or  “will” 
rather  than  a  “may”  in  this  document.  Bold  and  italicized  print  denotes  contractor  security 
requirements,  except  in  chapter  titles  and  paragraphs. 

The  Director  of  Central  Intelligence  Directives  (DCIDs),  which  prescribe  procedures  for  the  DCI 
Sensitive  Compartmented  Information  (SCI)  or  other  SAP-type  DCI  programs  also  set  the  upper 
standard  of  security  measures  for  programs  covered  by  this  Supplement.  DCIDs  may  be  used  by 
any  SAP  program  manager  with  approval  from  the  CSA.  Specific  security  measures  that  are 
above  the  DCIDs  (noted  by  asterisks)  shall  be  approved  by  the  CSA  or  designee. 

The  provisions  of  this  NISPOMSUP  apply  to  all  contractors  participating  in  the  administration  of 
programs  covered  by  this  Supplement.  In  cases  of  doubt  over  the  specific  provisions,  the  contrac¬ 
tor  should  consult  the  PSO  prior  to  taking  any  action  or  expending  program-related  funds.  In 
cases  of  extreme  emergency  requiring  immediate  attention,  the  action  taken  should  protect  the 
Government’s  interest  and  the  security  of  the  program  from  compromise. 
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Chapter  1 

General  Provisions  and  Requirements 

Section  1.  Introduction 


I'lOO.  Purpose. 

a.  This  Supplement  provides  special  security  measures 
to  ensure  the  integrity  of  SAPs,  Critical  SECRET 
Restricted  Data  (SRD),  and  TOP  SECRET  Restricted 
Data  (TSRD)  and  imposes  controls  supplemental  to 
security  measures  prescribed  in  the  NISPOM  for 
classified  contracts.  Supplemental  measures  fall 
under  the  cognizance  of  the  DoD,  DCI,  DOE,  NRC 
or  other  CSA  as  appropriate.  See  page  1-1-2  for  Fig¬ 
ure  1,  SAP  Government  and  Contractor  Relation¬ 
ships.  Additionally,  specific  contract  provisions 
pertaining  to  these  measures  applicable  to  associated 
unacknowledged  activities  will  be  separately  pro¬ 
vided.  Any  Department,  Agency,  or  other  organiza¬ 
tional  structure  amplifying  instructions  will  be 
inserted  immediately  following  the  q>plicable  secu¬ 
rity  options  selected  from  the  NTSPOMSUP.  This  will 
facilitate  providing  a  contractor  with  a  supplement 
that  is  overprinted  with  the  options  selected. 

b.  Security  Options.  This  Supplement  contains  secu¬ 
rity  options  from  which  specific  security  measures 
may  be  selected  for  individual  programs.  The 
options  selected  shall  be  specifically  addressed  in  the 
Program  Security  Guide  (PSG)  and/or  identified  in 
the  Contract.  The  PSG  shall  be  endorsed  by  the  CSA 
or  his/her  designee,  establishing  the  program, 
although,  as  a  rule,  the  DCIDs  sets  the  upper  limits. 
In  some  cases,  security  or  sensitive  factors  may 
require  security  measures  that  exceed  DCID  stan¬ 
dards.  In  such  cases,  the  higher  standards  shall  be 
listed  separately  and  specifically  endorsed  by  the 
CSA  creating  the  program  and  may  be  reflected  as  an 
overprint  to  this  Supplement. 

1-101.  Scope. 

a.  The  policy  and  guidance  contained  herein  and 
imposed  by  contract  is  binding  upon  all  persons  who 
are  granted  access  to  SAP  information.  Acceptance 
of  the  contract  security  measures  is  a  prerequisite  to 
any  negotiations  leading  to  Program  participation 
and  accreditation  of  a  Special  Access  Program  Facil¬ 
ity  (SAPF). 


b.  The  following  is  restated  from  the  baseline  for  clarity. 
If  a  contractor  determines  that  implementation  of  any 
provision  of  this  Supplement  is  more  costly  than  pro¬ 
visions  imposed  undo-  previous  U.S.  Government 
policies,  standards,  or  requirements,  the  contractor 
shall  notify  the  Cognizant  Security  Agency.  Contrac¬ 
tors  shall,  however,  implement  any  such  provision 
within  three  years  from  the  date  of  this  Supplement, 
unless  a  written  exception  is  granted  by  the  CSA. 

c.  The  DCIDs  apply  to  all  SCI  and  DCI  programs  and 
any  other  SAP  that  selects  them  as  the  program  secu¬ 
rity  measures. 

1-102.  Agency  Agreement  SAP  Program  Areas.  The 
Government  Agency  establishing  a  SAP  will  designate 
a  Program  Executive  Agent  for  the  administration,  secu¬ 
rity,  execution,  and  control  of  the  SAP.  The  Program 
Security  Officer  (PSO),  rather  than  the  Facility  CSA, 
will  be  responsible  for  security  of  the  program  and  all 
program  areas. 

1-103.  Security  Cognizance.  Those  heads  of  Agencies 
authorized  under  E.O.  12356  or  successor  order  to  cre¬ 
ate  SAPs  may  enter  into  agreements  with  the  Secretary 
of  Defense  that  establish  the  terms  of  the  Secretary  of 
Defense's  responsibilities  for  the  SAP.  When  a  Depart¬ 
ment  or  Agency  of  the  Executive  Branch  retains  cogni¬ 
zant  security  responsibilities  for  its  SAP,  the  provisions 
of  this  Supplement  will  apply. 

1-104.  Supplement  Interpretations.  Alt  contractor 
requests  for  interpretation  of  this  Supplement  will  be 
forwarded  to  the  PSO. 

1-105.  Supplement  Changes.  Users  of  this  Supple¬ 
ment  are  encouraged  to  submit  recommended  changes 
and  comments  through  their  PSO  in  concurrence  with 
the  baseline. 

1-106.  Waivers  and  Exceptions.  The  purpose  of  hav¬ 
ing  a  waiver  and  exception  policy  is  to  ensure  that  devi¬ 
ations  from  established  SAP  criteria  are  systematically 
and  uniformly  identified  to  the  Government  Program 
Manager  (GPM).  Every  effort  will  be  made  to  avoid 
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waivers  to  established  SAP  policies  and  procedures 
unless  they  are  in  the  best  interest  of  the  Government.  In 
those  cases  where  waivers  are  required,  a  request  will  be 
submitted  to  the  PSO.  As  appropriate,  the  PSO,  and  if 
necessary  the  GPM  (if  a  different  individual)  will  assess 
the  request  for  waiver  and  provide  written  approval.  If 
deemed  necessary,  other  security  measures  which 
address  the  specific  vulnerability  may  be  implemented. 

1-107.  Special  Access  Programs  Categories  and 

Types. 

a.  There  are  four  generic  categories  of  SAPs:  (1) 
Acquisition  SAP  (AQ-SAP);  (2)  Intelligence  SAP 
(IN-SAP);  (3)  Operations  and  Support  SAP  (OS- 
SAP);  and  (4)  SCI  Programs  (SCI  -  SAP)  or  other 
DCI  programs  which  protect  intelligence  sources  and 
methods. 


b.  There  are  two  tyjjes  of  SAPs,  acknowledged  and 
unacknowledged.  An  acknowledged  SAP  is  a  pro¬ 
gram  which  may  be  openly  recognized  or  known; 
however,  specifics  are  classified  within  that  SAP. 
The  existence  of  an  unacknowledged  SAP  or  an 
unacknowledged  portion  of  an  acknowledged  pro¬ 
gram,  will  not  be  made  known  to  any  person  not 
authorized  for  this  information. 


SAP 

Government/Contractor  Relationships 


'  ISSR  may  woik  for  the  CPSO,  or  work  as  a  peer  to  the  CPSO  for  AIS  purposes,  depending  on  Program  Requirements. 
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Section  2.  General  Requirements 


1-200.  Responsibilities,  A  SAP  Contractor  Program 
Manager  (CPM)  and  Contractor  Program  Security 
Officer  (CPSO)  will  be  designated  by  the  contractor. 
These  individuals  are  the  primary  focal  points  at  the 
contractor  facility  who  execute  the  contract.  They  are 
responsible  for  all  Program  matters.  The  initial  nomina¬ 
tion  or  appointment  of  the  CPSO  and  any  subsequent 
changes  will  be  provided  to  the  PSO  in  writing.  The 
criteria  necessary  for  an  individual  to  be  nominated  as 
the  CPSO  will  be  provided  in  the  Request  for  Proposal 
(RFP).  For  the  purposes  of  SAPs,  the  following  respon¬ 
sibilities  are  assigned; 

a.  The  CPM  is  (sometimes  the  same  as,  or  in  addition 
to  a  Contract  Project  Manager)  the  contractor 
employee  responsible  fon 

(1)  Overall  Program  management. 

(2)  Execution  of  the  statement  of  work,  contract, 
task  orders  and  all  other  contractual  obliga¬ 
tions. 

b.  The  CPSO  oversees  compliance  with  SAP  security 
requirements. 

The  CPSO  will; 

(1)  Possess  a  personnel  clearance  and  Program 
access  at  least  equal  to  the  highest  level  of 
Program  classified  information  involved. 

(2)  Provide  security  administration  and  manage¬ 
ment  for  his/her  organization. 

(3)  Ensure  personnel  processed  for  access  to  a 
SAP  meet  the  prerequisite  personnel  clearance 
and/or  investigative  requirements  speckled. 

(4)  Ensure  adequate  secure  storage  and  work 
spaces. 

(5)  Ensure  strict  adherence  to  the  provisions  of 
the  NISPOM  and  its  Supplement. 

(6)  When  required,  establish  and  oversee  a  classi¬ 
fied  material  control  program  for  each  SAP. 

(7)  When  required,  conduct  an  annual  inventory 
of  accountable  classified  materioL 

(8)  When  required,  establish  a  SAPF. 


(9)  Establish  and  oversee  visitor  control  program. 

(10)  Monitor  reproduction  and/or  duplication  and 
destruction  capability  of  SAP  information. 

(11)  Ensure  adherence  to  special  communications 
capabilities  within  the  SAPF. 

(12)  Provide  for  initial  Program  indoctrination  of 
employees  after  their  access  is  approved; 
rebrief  and  debrief  personnel  as  required. 

(13)  Establish  and  oversee  specialized  procedures 
for  the  transmission  of  SAP  material  to  and 
from  Program  elements. 

(14)  When  required,  ensure  contractual  spetffic 
security  requirements  such  as  TEMPEST, 
Automated  Information  System  (AIS),  and 
Operations  Security  (OPSEC)  are  accom¬ 
plished. 

(15)  Establish  security  training  and  briefings  spe¬ 
cifically  tailored  to  the  unique  requirements 
of  the  SAP. 

1-201.  *Standard  Operating  Procedures  (SOP).  The 
CPSO  may  be  required  to  prepare  a  comprehensive  SOP 
to  implement  the  security  policies  and  requirements  for 
each  SAP.  When  required,  SOPs  will  address  and  reflect 
the  contractor’s  method  of  implementing  the  PSG.  For¬ 
ward  proposed  SOPs  to  the  PSO  for  approval.  SOPs 
may  be  a  single  plan  or  series  of  individual  documents 
each  addressing  a  security  function.  Changes  to  the  SOP 
will  be  made  in  a  timely  fashion,  and  reported  to  the 
PSO  as  they  occur. 

1-202.  Badging.  Contractors  performing  on  Programs 
where  all  individuals  cannot  be  personally  identified, 
may  be  required  to  implement  a  PSO-approved  badging 
system. 

1-203.  Communications  Security  (COMSEC),  Clas¬ 
sified  SAP  information  will  be  electronically  transmit¬ 
ted  only  by  approved  secure  communications  channels 
authorized  by  the  PSO. 

1-204.  *Two-Person  Integrity  (TPI)  Requirement 
The  TPI  rule  may  be  required  and  exercised  only  with 
the  Program  CSA  approval.  This  requirement  does  not 
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apply  to  those  situations  where  one  employee  with 
access  is  left  alone  for  brief  periods  of  time,  nor  dictate 
that  those  employees  will  be  in  view  of  one  another. 

1-205.  Contractors  Questioning  Perceived  Excessive 
Security  Requirements.  All  personnel  are  highly 
encouraged  to  identify  excessive  security  measures  that 
they  believe  have  no  added  value  or  are  cost  excessive 
and  should  report  this  information  to  their  industry  con¬ 
tracting  officer  for  subsequent  reporting  through  con¬ 
tracting  channels  to  the  appropriate  GPM/PSO.  The 
GPM/PSO  will  respond  through  appropriate  channels  to 
the  contractor  questioning  the  security  requirements. 

1-206.  Security  Reviews. 

a.  General.  The  frequency  of  Industrial  Security 
Reviews  (e.g..  Reviews,  evaluations,  and  security 
surveys)  is  determined  by  the  NISPOM  and  will  be 
conducted  by  personnel  designated  by  the  CSA. 

b.  Joint  Efforts.  In  certain  cases,  an  individual  Pro¬ 
gram  may  be  a  joint  effort  of  more  than  one  compo¬ 
nent  of  the  U.S.  Government  or  more  than  one 
element  of  the  same  component.  In  such  a  case,  one 
element  will,  by  memorandum  of  agreement,  take 
the  lead  as  the  Cognizant  Security  Agency  and  may 


have  security  review  responsibility  for  the  Program 
facility.  In  order  to  ensure  the  most  uniform  and 
efficient  application  of  security  criteria,  review 
activities  at  contractor  facilities  will  be  consoli¬ 
dated  to  the  greatest  extent  possible. 

c.  Prime  Contractor  Representative.  A  security  rep¬ 
resentative  from  the  prime  contractor  may  be 
present  and  participate  during  reviews  of  subcon¬ 
tractors,  but  cannot  be  the  individual  appointed  by 
the  CSA  to  conduct  security  reviews  specified  in 
paragraph  l-206a. 

d.  Review  Reciprocity.  In  order  to  ensure  the  most 
uniform  and  efficient  application  of  security  reviews, 
review  reciprocity  at  contractor  facilities  will  be  con¬ 
sidered  whenever  possible. 

e.  Contractor  Reviews.  When  applicable,  the  U.S. 
Government  may  prescribe  the  intervals  that  the  con¬ 
tractor  will  review  their  systems. 

f.  Team  Reviews.  Team  Reviews  may  be  conducted  by 
more  than  one  PSO  based  on  mutual  consent  and 
cooperation  of  both  the  Government  and  the  contrac¬ 
tor. 
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Section  3.  Reporting  Requirements 


1-300.  General.  AU  reports  required  by  the  NISPOM 
will  be  made  through  the  PSO.  In  those  instances  where 
the  report  affects  the  baseline  facility  clearance  or  the 
incident  is  of  a  personnel  security  clearance  nature,  the 
report  will  also  be  provided  to  the  Facility  CSA.  In  those 
rare  instances  where  classified  program  information 
must  be  included  in  the  report,  the  report  will  be  pro¬ 
vided  only  to  the  PSO,  who  will  sanitize  the  reimrt  and 
provide  the  information  to  the  CSA,  if  appropriate. 

a.  Adverse  Information.  Contractors  will  report  to 
the  PSO  any  information  which  may  adversely 
reflect  on  the  Program-briefed  employee's  ability  to 
properly  safeguard  classed  Program  information. 

b.  SAP  Non-Disclosure  Agreement  (NDA).  A  report 
will  be  submitted  to  the  PSO  on  an  employee  who 
refuses  to  sign  a  SAP  NDA. 

c.  Change  in  Employee  Status.  A  written  report  of  tdl 
changes  in  the  personal  status  of  SAP  indoctri¬ 
nated  personnel  wUl  be  provided  to  the  PSO.  In 
addition  to  those  changes  identified  in  NISPOM  sub- 
paragraph  1-302C.,  include  censure  or  probation  aris¬ 
ing  from  an  adverse  personnel  action,  and 
revocation,  or  suspension  downgrading  of  a  security 
clearance  or  Program  access  for  reasons  other  than 
security  administration  purposes. 

d.  Employees  Desiring  Not  to  Perform  on  SAP 
Classified  Work.  A  report  will  be  made  to  the 
PSO  upon  notification  by  an  accessed  employee 
or  an  employee  for  whom  access  has  been 
requested  that  they  no  longer  wish  to  perform  on 
the  SAP.  Pending  further  instructions  from  the 
PSO,  the  report  will  be  destroyed  in  30  days. 

g  vpoiieign  TVavel.  The  PSO  may  require  reports  of  all 
travel  outside  the  continental  United  States,  Hawaii, 
Alaska  and  the  U.S.  possessions  (i.e.,  Puerto  Rico) 
except  same-day  travel  to  border  areas  (i.e.,  Canada, 
Mexico)  for  Program-accessed  personnel.  Such 
travel  is  to  be  reported  to  the  CPSO,  and  retained  for 
the  life  of  the  Contract/Program  travel.  Travel  by 
Program-briefed  individuals  into  or  through  coun¬ 
tries  determined  by  the  CSA  as  high-risk  areas, 
should  not  be  undertaken  without  prior  notification. 
A  supplement  to  the  report  outlining  the  typje  and 
extent  of  contact  with  foreign  nationals,  and  any 
attempts  to  solicit  information  or  establish  a  continu¬ 
ing  relationship  by  a  foreign  national  may  be 
required  upon  completion  of  travel. 


f.  Arms  Control  TVeaty  Visits.  The  GPM  and  PSO 
will  be  notified  in  advance  of  any  Arms  Control 
Treaty  Visits.  Such  reports  permit  the  GPM  and  PSO 
to  assess  potential  impact  on  the  SAP  activity  and 
effectively  provide  guidance  and  assistance. 

g.  Litigation.  Litigation  or  public  proceedings  which 
may  involve  a  SAP  wiU  be  reported.  These  include 
legal  proceedings  and/or  administrative  actions  in 
which  the  prime  contractor,  subcontractors,  or  Gov¬ 
ernment  organizations  and  their  Program-briefed 
individuals  are  a  named  party.  The  CPSO  will  report 
to  the  PSO  any  litigation  actions  that  may  pertain 
to  the  SAP,  to  include  the  physical  enviroments, 
facilities  or  personnel  or  as  otherwise  directed  by 
the  GPM. 

1-301.  Security  Violations  and  Improper  Handing  of 
Classified  Information.  Requirements  of  the  NISPOM 
baseline  pertaining  to  security  violation  are  applicable, 
except  that  all  communications  will  be  appropriately 
mad‘>  through  Program  Security  Channels  within  24 
hours  of  discovery  to  the  PSO.  The  PSO  must  promptly 
advise  the  Facility  CSA  in  all  instances  where  national 
security  concerns  would  impact  on  collateral  security 
programs  or  clearances  of  individuals  under  the  cogni¬ 
zant  of  the  Facility  CSA. 

a.  Security  Violations  and  Infractions 

(1)  Security  Violation.  A  security  violation  is  any 
incident  that  involves  the  loss,  compromise,  or 
suspected  compromise  of  classified  information. 
Security  violations  will  be  immediately 
reported  within  24  hours  to  the  PSO. 

(2)  Security  Infraction.  A  security  infraction  is  any 
other  incident  that  is  not  in  the  best  interest  of 
security  that  does  not  involve  the  loss,  compro¬ 
mise,  or  suspected  compromise  of  classified 
information.  Security  infractions  will  be  doc¬ 
umented  and  made  available  for  review  by 
the  PSO  during  visits. 

b.  Inadvertent  Disclosure.  An  inadvertent  disclosure  is 
the  involuntary  unauthorized  access  to  classified  SAP 
information  by  an  individual  without  SAP  access 
authorization.  Personnel  determined  to  have  had 
unauthorized  or  inadvertent  access  to  classified  SAP 
information  (1)  should  be  interviewed  to  determine 
the  extent  of  the  exposing,  and  (2)  may  be  requested  to 
complete  an  Inadvertent  Disclosure  Oath. 
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(1)  If  during  emergency  response  situations,  guard 
personnel  or  local  emergency  authorities  (e.g., 
police,  medical,  fire,  etc.)  inadvertently  gain 
access  to  Program  material,  they  should  be  inter¬ 
viewed  to  determine  the  extent  of  the  exposure. 
If  circumstances  warrant,  a  preliminaiy  inquiiy 
will  be  conducted.  When  in  doubt,  contact  the 
PSO  for  advice. 

(2)  Refusal  to  sign  an  inadvertent  disclosure  oath 
will  be  reported  by  the  CPSO  to  the  PSO. 

(3)  Contractors  shall  report  all  unauthorized  dis¬ 
closures  involving  RD  or  Formerly  Restricted 
Data  (FRD)  to  Department  of  Energy  (DOE) 
or  Nuclear  Regulatory  Commission  (NRC) 
through  their  CSA. 
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Chapter  2 
Security  Clearances 

Section  1.  Facility  Clearances 


2-100.  General.  Contractors  will  possess  a  Facility 
Security  Clearance  to  receive,  generate,  use,  and  store 
classified  information  that  is  protected  in  SAPs. 

a.  If  a  facility  clearance  has  already  been  granted,  the 
SAP  Program  Executive  Agent  may  carve  in  the 
Facility  CSA.  The  agreement  entered  into  by  the 
Secretary  of  Defense  (SECDEF)  with  the  other 
CSA’s  will  determine  the  terms  of  responsibility  for 
the  Facility  CSA  with  regard  to  SAP  programs.  Due 
to  the  sensitivity  of  some  SAPs,  the  program  may  be 
carved  out  by  the  Executive  Agent  designated  by  the 
CSA. 

b.  The  CPSO  shall  notify  the  PSO  of  any  activity  which 
affects  the  Facility  Security  Clearance,  (FCL). 

c-  In  certain  instances,  security  and  the  sensitivity  of 
the  project  may  require  the  contract  and  the  associa¬ 
tion  of  the  contractor  with  the  Program  CSA  be 
restricted  and  kept  at  a  classified  level.  The  existence 
of  any  unacknowledged  effort,  to  include  its  SAPF, 
will  not  be  released  without  prior  approval  of  the 
PSO. 

2-101.  Co-UtUization  of  SAPF- If  multiple  SAPs  are 
located  within  a  SAPF,  a  Memorandum  of  Agreement 
(MOA)  shall  be  written  between  government  program 
offices  defining  areas  of  authorities  and  responsibilities. 
The  first  SAP  in  an  area  shall  be  considered  to  be  the 
senior  program  and  therefore  the  CSA  for  the  zone 
unless  authority  or  responsibility  is  specifically  dele¬ 
gated  in  the  MOA.  The  MOA  shall  be  executed  prior  to 
the  introduction  of  the  second  SAP  into  the  SAPF. 


2-102.  Access  of  Senior  Management  Officials.  Only 
those  Senior  Management  Officials  requiring  informa¬ 
tion  pertaining  to  the  SAP  shall  be  processed  SAP 
access. 

2-103.  Facility  Clearances  for  Multifacility  Organi¬ 
zations. 

a.  When  cleared  employees  are  located  at  uncleared 
locations,  the  CPSO  may  designate  a  cleared  man¬ 
agement  official  at  the  uncleared  location  who  shall: 

(1)  Process  classified  visit  requests,  conduct  initial 
or  recurring  briefings  for  cleared  employees,  and 
provide  written  confirmation  of  the  briefing  to 
the  CPSO. 

(2)  Implement  the  reporting  requirements  of  the 
NISPOM  and  this  Supplement  for  all  cleared 
employees  and  furnish  reports  to  the  CPSO  for 
further  submittal  to  the  CSA. 

(3)  Ensure  compliance  with  all  applicable  measures 
of  the  NISPOM  and  this  Supplement  by  all 
cleared  employees  at  that  location. 

b.  If  a  cleared  management  official  is  not  available  at 
the  uncleared  location,  the  CPSO  (or  designee)  shall 
conduct  the  required  briefing  during  visits  to  the 
uncleared  location  or  during  employee  visits  to  the 
location  or  establish  an  alternative  procedure  with 
CSA  approval. 
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Section  2.  Personnel  Clearances  and  Access 


2-200.  General.  This  section  establishes  the  require¬ 
ments  for  the  selection,  processing,  briefing,  and 
debriefing  of  contractor  personnel  for  SAPs. 

2-201.  Program  Accessing  Requirements  and  Proce¬ 
dures. 

a.  The  individual  will  have  a  valid  need-to-know 
(NTK)  and  will  materially  and  directly  contribute  to 
the  Program, 

b.  The  individual  will  possess  a  minimum  of  a  cur¬ 
rent,  final  SECRET  security  clearance  or  meet  the 
investigative  criteria  required  for  the  level  of 
access.  If  a  person’s  periodic  reinvestigation  (PR)  is 
outside  the  five-year  scope  and  all  other  access  pro¬ 
cessing  is  current  and  valid,  the  PSO  may  authorize 
access.  However,  the  individual  will  be  immediately 
processed  for  either  a  Single  Scope  Background 
Investigation  (SSBI)  or  National  Agency  Check  with 
Credit  (NACC)  as  required  by  the  level  of  clearance 
or  as  otherwise  required  by  the  contract. 

c.  The  contractor  will  nomincUe  the  individual  and 
provide  a  description  of  the  NTK  justification.  The 
CPM  will  concur  with  the  nomination  and  verify 
Program  contribution  by  signature  on  the  Program 
Access  Request  (PAR),  The  CPSO  will  complete  the 
PAR  and  review  it  for  accuracy  ensuring  all 
required  signatures  are  present.  The  CPSO  signa¬ 
ture  verifies  that  the  security  clearance  and  investiga¬ 
tive  criteria  are  accurate,  and  that  these  criteria 
satisfy  the  requirements  of  the  Program.  Information 
regarding  the  PAR  may  be  electronically  submitted. 
While  basic  information  shall  remain  the  same,  sig¬ 
natures  may  not  be  required.  The  receipt  of  the  PAR 
package  via  a  preapproved  channel  shall  be  consid¬ 
er^  sufficient  authentication  that  the  required 
approvals  have  been  authenticated  by  the  CPSO  and 
contractor  program  manager. 

d.  Access  Criteria  and  Evaluation  Process.  In  order 
to  eliminate  those  candidates  who  clearly  will  not 
meet  the  scope  for  access  and  to  complete  the  Per¬ 
sonnel  Security  Questionnaire  (PSQ),  access  evalua¬ 
tion  may  be  required.  In  the  absence  of  written 
instructions  from  the  contracting  activity,  the  evalua¬ 
tion  process  will  conform  to  the  following  guide¬ 
lines: 


(1)  Evaluation  criteria  will  not  be  initiated  at  the 
contractor  level  unless  both  the  employee  and 
contractor  agree. 

(2)  Contractors  will  not  perform  access  evaluation 
for  other  contractors. 

(3)  Access  evaluation  criteria  will  be  specific  and 
will  not  require  any  analysis  or  interpretation  by 
the  contractor.  Access  evaluation  criteria  will  be 
provided  by  the  government  as  required. 

(4)  Those  candidates  eliminated  during  this  process 
will  be  advised  that  access  processing  has  termi¬ 
nated. 

e.  Submit  a  Letter  of  Compelling  Need  or  other  docu¬ 
mentation  when  requested  by  the  PSO. 

f.  Formats  required  for  the  processing  of  a  SAP  access 
fall  into  two  categories:  those  required  for  the  con¬ 
duct  of  the  investigation  and  review  of  the  individ¬ 
ual’s  eligibility,  and  those  that  explain  or  validate  the 
individual's  NTK.  These  constitute  the  PAR  package. 
The  PAR  package  used  for  the  access  approval  and 
NTK  verification  will  contain  the  following:  the  PAR 
and  a  recent  (within  90  days)  PSQ  reflecting  pen  and 
ink  changes,  if  any,  signed  and  dated  by  the  nominee. 

g.  Once  the  PAR  package  has  been  completed,  the 
CPSO  will  forward  the  candidate’s  nomination  pack¬ 
age  to  the  PSO  for  review: 

(1)  The  PSO  will  review  the  PAR  package  and 
determine  access  eligibility. 

(2)  Access  approval  or  denial  will  be  determined  by 
the  GPM  and/or  access  approval  authority. 

(3)  The  PSO  will  notify  the  contractor  of  access 
approval  or  denial. 

(4)  Subcontractors  may  submit  the  PAR  package  to 
the  prime.  The  prime  will  review  and  concur  on 
the  PAR  and  forward  the  PAR  and  the  unopened 
PSQ  package  to  the  PSO. 


2-2-1 


h.  SCI  access  will  follow  guidelines  established  in 
DCID  1/14. 

2-202.  Supplementary  Measures  and  Polygraph. 

a.  Due  to  the  sensitivity  of  a  Program  or  criticality  of 
information  or  emerging  technology,  a  polygraph 
may  be  required.  The  polygraph  examination  will  be 
conducted  by  a  properly  trained,  certified,  U.S.  Gov¬ 
ernment  Polygraph  Specialist.  If  a  PR  is  outside  the 
5-year  investigative  scope,  a  polygraph  may  be  used 
as  an  interim  basis  to  grant  access  until  completion 
of  the  PR. 

b.  There  are  three  categories  of  polygraph:  Counterin¬ 
telligence  (Cl),  Full  Scope  (Cl  and  life  style),  and 
Special  Issues  Polygraph  (SIP).  The  type  of  poly¬ 
graph  conducted  will  be  determined  by  the  CSA, 

2-203.  Suspension  and  Revocation.  All  PSO  direction 
to  contractors  involving  the  suspension  or  revocation  of 
an  employee’s  access  will  be  provided  in  writing  and  if 
appropriate,  thru  the  contracting  officer. 


2-204.  Appeal  Process.  The  CSA  will  establish  an 
appeal  process. 

2-205.  Agent  of  the  Government  The  Government  may 
designate  a  contractor-nominated  employee  as  an  Agent 
of  the  GovOTiment  on  a  case-by-case  basis.  Applicable 
training  and  requirements  will  be  provided  by  the  Gov¬ 
ernment  to  contractors  designated  as  Agents  of  the  Gov¬ 
ernment. 

2-206  Access  Roster  or  List  Current  access  rosters 
of  Program-briefed  individuak  are  required  at  each 
contractor  location.  They  should  be  properly  protected 
and  maintained  in  accordance  with  the  PSG.  The  access 
roster  should  be  continually  reviewed  and  reconciled  for 
any  discrepancies.  The  data  base  or  listing  may  contain 
the  name  of  the  individual  organization,  position,  billet 
number  (if  applicable),  level  of  access,  social  security 
number,  military  rank/grade  or  comparable  civilian  rat¬ 
ing  scheme,  and  security  clearance  information.  Secu^ 
rity  personnel  required  for  adequate  security  oversight 
will  not  count  against  the  billet  structure. 
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Chapter  3 

Security  Training  and  Briefings 

Section  1.  Security  Training  and  Briefings 


3-100.  General.  Every  Special  Access  Program  (SAP) 
will  have  a  Security  Training  and  Briefing  Program, 
As  a  minimum,  SAP-indoctrinated  personnel  will  be 
provided  the  same  or  similar  training  and  briefings  as 
outlined  in  the  baseline  NISPOM.  In  addition,  CPSOs 
responsible  for  SAPs  at  contractor  facilities  will  estab¬ 
lish  a  Security  Education  Program  to  meet  any  specific 
or  unique  requirements  of  individual  special  €u:cess 
programs.  Topics  which  will  be  addressed,  if  appropri¬ 
ate  to  the  facility  or  the  SAP(s),  include: 

a.  Security  requirements  unique  to  SAPs; 

b.  Protection  of  classified  relationships; 

c.  Operations  Security  (OPSEC); 

d.  Use  of  nicknames  and  code  words; 

e.  Use  of  special  transmission  methods; 

f.  Special  test-range  security  procedures; 

g.  Procedures  for  unacknowledged  SAP  security.  An 
unacknowledged  SAP  will  require  additional  secu¬ 
rity  training  and  briefings,  beyond  that  required  in 
the  baseline.  Additional  requirements  will  be  speci¬ 
fied  in  the  Contract  Security  Classification  Specifica¬ 
tion  and  will  address  steps  necessary  to  protect 
sensitive  relationships,  locations,  and  activities. 

h.  Specific  procedures  to  report  fraud,  waste,  and 
abuse. 

i.  Computer  security  education  that  is  to  include  opera¬ 
tional  procedures,  threats,  and  vulnerabilities. 

j.  Writing  unclassified  personnel  appraisals  and 
reviews. 

k.  Third-Party  Introductions.  The  purpose  of  the  Third- 
Party  Introduction  is  to  provide  a  clearance  and/or 
access  verification  to  other  cleared  personnel.  The 
introduction  is  accomplished  by  a  briefed  third  party, 
who  has  knowledge  of  both  individual’s  access. 


3-101.  Security  IValning.  The  CPSO  will  ensure  that 
the  following  security  training  measures  are  imple¬ 
mented: 

a.  Initial  Program  Security  Indoctrination.  Every 
individual  accessed  to  a  SAP  will  be  given  an  initial 
indoctrination.  The  briefing  will  clearly  identify  the 
information  to  be  protected,  the  reasons  why  this 
information  requires  protection,  and  the  need  to 
execute  a  NDA.  The  individual  will  be  properly 
briefed  concerning  the  security  requirements  for 
the  Program,  understand  their  particular  secu¬ 
rity  responsibilities,  and  will  sign  a  NDA.  This 
indoctrination  is  in  addition  to  any  other  briefing 
required  for  access  to  collateral  classified  or  com¬ 
pany  proprietary  information.  It  will  be  the  responsi¬ 
bility  of  the  PSO  to  provide  to  the  contractor 
information  as  to  what  will  be  included  in  the  initial 
indoctrination  to  include  fraud,  waste,  and  abuse 
reporting  procedures. 

b.  Professionalized  AIS  training  may  be  required  of  all 
contractor  Information  Systems  Security  Representa¬ 
tives  (ISSRs)  to  ensure  that  these  individuals  have 
the  appropriate  skills  to  perform  their  job  functions 
in  a  competent  and  cost-effective  manner.  This  train¬ 
ing  will  be  made  available  by  the  CSA.  The  training 
should  consist  of,  but  not  be  limited  to,  the  following 
criteria: 

(1)  Working  knowledge  of  all  applicable  and 
national  CSA  regulations  and  policies  including 
those  contained  in  this  supplement; 

(2)  Use  of  common  Information  Security 
(INFOSEC)  practices  and  technologies; 

(3)  AIS  certification  testing  procedures; 

(4)  Use  of  a  risk  management  methodology; 

(5)  Use  of  configuration  management  methodology. 
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3-102,  Unacknowledged  Special  Access  Programs 
(SAP).  Unacknowledged  SAPs  require  a  significantly 
greater  degree  of  protection  than  acknowledged  SAPs, 
Special  emphasis  should  be  placed  on: 

a.  Why  the  SAP  is  unacknowledged; 

b.  Classification  of  the  SAP; 

c.  Approved  coimiiunications  system; 

d.  Approved  transmission  systems; 

e.  Visit  procedures; 

f.  Specific  program  guidance, 

3-103.  Refresher  Briefings.  Every  accessed  individual 
will  receive  an  annual  refresher  briefing  from  the 
CPSO  to  include  the  following,  as  a  minimum: 

a.  Review  of  Program-unique  security  directives  or 
guidance; 

b.  Review  of  those  elements  contained  in  the  original 
NDA, 

Note.  The  PSO  may  require  a  record  to  be  maintained  of 
this  training, 

3-104.  Debriefing  and/or  Access  Termination.  Per¬ 
sons  briefed  to  SAPs  will  be  debriefed  by  the  CPSO  or 
his  designee.  The  debriefing  will  include  as  a  mini¬ 
mum  a  reminder  of  each  individual* s  responsibili¬ 
ties  according  to  the  NDA  which  states  that  the 
individual  has  no  Program  or  Program-related 
material  in  his/her  possession,  and  that  he/she 
understands  his/her  responsibilities  regarding  the 
disclosure  of  classified  Program  information, 

a.  Debriefings  should  be  conducted  in  a  SAPF,  Sensi¬ 
tive  Compartmented  Information  Facility  (SCIF),  or 
other  secure  area  when  possible,  or  as  authorized  by 
the  PSO. 

b.  Procedures  for  debriefing  will  be  arranged  to  allow 
each  individual  the  opportunity  to  ask  questions  and 
receive  substantive  answers  from  the  debriefer. 

c.  Debriefing  Acknowledgments  will  be  used  and  exe¬ 
cuted  at  the  time  of  the  debriefing  and  include  the 
following: 


(1)  Remind  the  individual  of  his/her  continuing 
obligations  agreed  to  in  the  SAP  NDA. 

(2)  Remind  the  individual  that  the  NDA  is  a  legal 
contract  between  the  individual  and  the  U,S. 
Government 

(3)  Advise  that  aU  classified  inf ormation  to  include 
Program  information  is  now  and  forever  the 
property  of  the  U,S,  Government 

(4)  Remind  the  individual  of  the  penalties  for  espi¬ 
onage  and  unauthorized  disclosure  as  con¬ 
tained  in  Titles  18  and  50  of  the  U.S,  Code.  The 
briefer  should  have  these  documents  available 
for  handout  upon  request  Require  the  individ¬ 
ual  to  sign  and  agree  that  questions  about  the 
NDA  have  been  answered  and  that  Titles  18 
and  50  (U.S.  Codes)  were  made  available  and 
understood. 

(5)  Remind  the  individual  of  his/her  obligation  not 
to  discuss,  publish,  or  otherwise  reveal  infor¬ 
mation  about  the  Program.  The  appearance  of 
Program  information  in  the  public  domain 
does  not  constitute  a  de  facto  release  from  the 
continuing  secrecy  agreement, 

(6)  Advise  that  any  future  questions  or  concerns 
regarding  the  Program  (e.g.,  solicitations  for 
information,  approval  to  publish  material 
based  on  Program  knowledge  and/or  experi¬ 
ence)  will  be  directed  to  the  CPSO.  The  indi¬ 
vidual  will  be  provided  a  telephone  number  for 
the  CPSO  or  PSO. 

(7)  Advise  that  each  provision  of  the  agreement  is 
severable,  Le.,  if  one  provision  is  declared 
unenforceable,  all  others  remain  in  force. 

(8)  Emphasize  that  even  though  an  individual 
signs  a  Debriefing  Acknowledgment  Statement, 
he/she  is  never  released  from  the  original 
NDA/secrecy  agreement  unless  specifically 
notified  in  writing, 

d.  Verify  the  return  of  any  and  all  SAP  classified  mate¬ 
rial  and  unclassified  Program-sensitive  material  and 

identify  all  security  containers  to  which  the  individ¬ 
ual  had  access. 
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e.  When  debriefed  for  cause,  include  a  brief  statement 
as  to  the  reason  for  termination  of  access  and  notify 
the  PSO.  In  addition  the  CPSO  will  notify  all  agen¬ 
cies  holding  interest  in  that  person’s  clearance/ 
accesses. 

f.  The  debriefer  will  advise  persons  who  refuse  to  sign 
a  debriefing  acknowledgment  that  such  refusal  could 
affect  future  access  to  special  access  programs  and/ 
or  continued  clearance  eligibility.  It  could  be  cause 
for  administrative  sanctions  and  it  will  be  reported  to 
the  appropriate  Government  Clearance  Agency. 

g.  Provide  a  point  of  contact  for  debriefed  employees  to 
report  any  incident  in  the  future  which  might  affect 
the  security  of  the  Program. 


3-105.  Administrative  Debriefings.  Efforts  to  have  ail 
Program- briefed  personnel  sign  a  Debriefing  Acknowl¬ 
edgment  Statement  may  prove  difficult.  If  attempts  to 
locate  an  individual  either  by  telephone  or  mail  are  not 
successful,  the  CPSO  should  prepare  a  Debriefing 
Acknowledgment  Statement  reflecting  the  individual 
was  administratively  debriefed.  The  Debriefing 
Acknowledgment  Statement  will  be  forwarded  to  the 
PSO,  The  CPSO  will  check  to  ensure  that  no  Program 
material  is  charged  out  to,  or  in  the  possession  of  these 
persons, 

3-106 .  Recognition  and  Award  Program.  Recognition 
and  award  programs  could  be  established  to  single  out 
those  employees  making  significant  contributions  to 
Program  contractor  security.  If  used,  CPSOs  will  review 
award  write-ups  to  ensure  recommendations  do  not  con¬ 
tain  classified  information. 


Chapter  4 

Classification  and  Markings 

Section  1.  Classification 


Challenges  to  Classification.  Afl  challenges  to  SAP 
classified  information  and/or  material  shall  be  for¬ 
warded  through  the  CPSO  to  the  PSO  to  the  appropri¬ 
ate  Government  contracting  activity.  All  such 
challenges  shall  remain  in  Program  channels. 
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Section  2.  Marking  Requirements 


4-200.  General.  Classified  material  that  is  developed 
under  a  SAP  will  be  marked  and  controlled  in 
accordance  with  the  NISPOM,  this  Supplement,  the 
Program  Security  Classification  Guide,  and  other 
Program  guidance  as  directed  by  the  PSD. 

4-201.  Additional  Provisions  and  Controls.  The  PSO 
may  specify  additional  markings  to  be  applied  to  SAP 
working  papers  based  on  the  sensitivity  and  criticality  of 
the  Program,  when  approved  by  the  CSA. 

4-202.  Engineer's  Notebook.  An  engineer's  notebook 
is  a  working  record  of  continually  changing  Program 
technical  data.  It  should  NOT  include  drafts  of  corre¬ 
spondence,  reports,  or  other  materials.  The  outer  cover 
and  first  page  will  be  marked  with  the  highest  classi¬ 
fication  level  contained  in  the  notebook.  Portion 
marking  or  numbering  is  not  required.  Other  require¬ 
ments  pertaining  to  these  notebooks  may  be  imposed  by 
the  PSO. 

4-203.  Cover  Sheets.  Cover  sheets  will  be  applied  to 
SAP  documents  when  the  documents  are  created  or 
distributed.  NOTE:  CODE  WORDS  WILL  NOT  BE 
PRINTED  ON  THE  COVER  SHEETS.  The  unclassi¬ 
fied  nickname,  digraph,  or  trigraph  may  be  used. 


4-204.  Warning  Notices.  Generally,  Program  classi¬ 
fied  marking  and  transmission  requirements  will 
follow  this  Supplement.  Transmission  of  Program  or 
Program-related  material  will  be  determined  by  the 
PSO.  Besides  the  classifications  markings,  inner 
containers  will  be  marked: 

‘‘TO  BE  OPENED  ONLY  BY:”  followed  by  the 
name  of  the  individual  to  whom  the  material  is  sent. 
A  receipt  may  be  required.  Apply  the  following  mark¬ 
ings  on  the  bottom  center  of  the  front  of  the  inner  con¬ 
tainer: 

WARNING 

THIS  PACKAGE  CONTAINS  CLASSMED  U.S, 
GOVERNMENT  INFORMATION.  TRANSMISSION 
OR  REVELATION  OF  THIS  INFORMATION  IN 
ANY  MANNER  TO  AN  UNAUTHORIZED  PERSON 
IS  PROHIBITED  BY  TITLE  18,  U.S.  CODE,  SEC¬ 
TION  798  (OR  TITLE  42,  SECTION  XX  FOR  RD  OR 
FRD  MATERIAL).  IF  FOUND,  PLEASE  DO  NOT 
OPEN.  ’’CALL  COLLECT  ”  THE  FOLLOWING  NUM¬ 
BERS,  (area  code)  (number)  (PSO/CPSO  work  number) 
DURING  WORKING  HOURS  OR  (area  code)  (num¬ 
ber)  (PSO/CPSO)  AFTER  WORKING  HOURS. 
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Chapter  5 

Safeguarding  Classified  Information 

Section  1.  General  Safeguarding  Requirements 


5-100.  General.  Classified  and  unclassified  sensitive 
SAP  material  must  be  stored  in  SAP  CSA  approved 
facilities  only.  Any  deviations  must  have  prior  approval 
of  the  SAP  CSA  or  designee. 
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Section  2.  Control  and  Accountability 


5-200.  General.  Contractors  shall  develop  and  main¬ 
tain  a  system  that  enables  control  of  SAP  classified 
information  and  unclassified  Program  sensitive  infor¬ 
mation  for  which  the  contractor  is  responsible. 

5-201.  Accowntability.  AccoH«to&/%  of  class  fied  SAP 
material  shall  be  determined  and  approved  in  writing 
by  the  CSA  or  designee  at  the  time  the  SAP  is  approved. 
A  separate  accountability  control  system  may  be 
required  for  each  SAP. 

5-202.  Annual  Inventory.  An  annual  inventory  of  ac¬ 
countable  SAP  classified  material  may  be  required.  The 
results  of  the  inventory  and  any  discrepancies  may  be 
required  to  be  reported  in  writing  to  the  PSO. 


5-203.  Collateral  classified  material  required  to  support 
a  SAP  contract  may  be  transferred  within  SAP  controls. 
Transfer  will  be  accomplished  in  a  manner  that  wiU 
not  compromise  the  SAP  or  any  classified  information. 
The  PSO  will  provide  oversight  for  collateral  classified 
material  maintained  in  the  SAP.  Collateral  classified 
material  generated  during  the  performance  of  a  SAP 
contract  may  be  transferred  from  the  SAP  to  the  con¬ 
tractor's  collateral  classified  system.  The  precautions 
required  to  prevent  compromise  will  be  approved  by  the 
PSO. 
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Section  3.  Storage  and  Storage  Equipment 


(not  further  supplemented) 
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Section  4.  IVansmission 


5-400,  General.  SAP  classified  material  shall  be  trans¬ 
mitted  outside  the  contractor’s  facility  in  a  manner 
that  prevents  loss  or  unauthorized  access. 

5-401.  Preparation.  All  classified  SAP  material  will  be 
prepared,  reproduced,  and  packaged  by  Program- 
briefed  personnel  in  approved  Program  facilities. 

5-402.  Couriers.  The  PSO  through  the  CPSO  will  pro¬ 
vide  detailed  courier  instructions  to  couriers  when 
hand-carrying  SAP  material  The  CPSO  will  provide 
the  courier  with  an  authorization  letter.  Report  any 
travel  anomalies  to  the  CPSO  as  soon  as  practical.  The 
CPSO  will  notify  the  PSO. 

5-403.  Secure  Facsimile  and/or  Electronic  Transmis¬ 
sion.  Secure  facsimile  and/or  electronic  transmission 
encrypted  communications  equipment  may  be  used  for 
the  transmission  of  Program  classified  information. 


When  secure  facsimile  and/or  electronic  transmission 
is  permitted,  the  PSO  or  other  Government  cognizant 
security  reviewing  activity  will  approve  the  system  in 
writing.  Transmission  of  classified  Program  material  by 
this  means  may  be  receipted  for  by  an  automated  system 
generated  message  that  transmission  and  receipt  has 
been  accomplished.  For  TOP  SECRET  documents  a 
receipt  on  the  secure  facsimile  may  be  required  by  the 
PSO. 

5-404.  U,S.  Postal  Mailing.  A  U.S.  Postal  mailing  chan¬ 
nel,  when  approved  by  the  PSO,  may  be  established  to 
ensure  mail  is  received  only  by  appropriately  cleared  and 
accessed  pei*sonneL 

5-405.  TOP  SECRET  Transmission.  TOP  SECRET 
(TS)  SAP  will  be  transmitted  via  secure  data  transmis¬ 
sion  or  via  Defense  Courier  Service  unless  other 
means  have  been  authorized  by  the  PSO. 
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Section  5^  Disclosure 


5-500,  Release  of  Information,  Public  release  of  SAP 
information  is  not  authorized  without  written  authority 
from  the  Government  as  provided  for  in  US.  Code, 
Titles  10  and  42.  Any  attempt  by  unauthorized  person¬ 
nel  to  obtain  Program  information  and  sensitive  data 
will  be  reported  immediately  to  the  Government  Pro¬ 
gram  Manager  (GPM)  through  the  PSO  using  approved 
secure  communication  channels. 
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Section  6.  Reproduction 


5-600.  General.  Program  material  will  be  repro¬ 
duced  on  equipment  specially  designated  by  the 
CPSO  and  may  require  approval  by  the  PSO.  The 
CPMs  and  CPSOs  may  be  required  to  prepare  written 
reproduction  procedures. 

5-601.  The  PSO  or  designee  may  approve  reproduction 
of  TS  material. 
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Section  7.  Disposition  and  Retention 


5-700.  Disposition.  CPSOs  may  be  required  to  inven¬ 
tory,  dispose  of,  request  retention,  or  return  for  disposi¬ 
tion  all  classified  SAP-related  material  (including  AIS 
media)  at  contract  completion  and/or  close-out.  Request 
for  proposal  (RFP),  solicitation,  or  bid  and  proposal 
collateral  classified  and  unclassified  material  con¬ 
tained  in  Program  files  will  be  reviewed  and  screened 
to  determine  appropriate  disposition  (Le.,  destruction, 
request  for  retention).  Disposition  recommendations 
by  categories  of  information  or  by  document  control 
number,  when  required,  will  be  submitted  to  the  PSO 
for  concurrence.  Requests  for  retention  of  classified 
information  (SAP  and  non-SAP)  will  be  submitted  to 
the  Contracting  Officer,  through  the  PSO  for  review 
and  approval.  Requirements  for  storage  cmd  control  of 
materials  approved  for  retention  will  be  approved  by 
the  PSO. 


5-701.  Retention  of  SAP  Material.  The  contractor  may 
be  required  to  submit  a  request  to  the  Contracting 
Officer  (CO),  via  the  PSO,  for  authority  to  retain  classi¬ 
fied  material  beyond  the  end  of  the  contract  perfor¬ 
mance  period.  The  request  will  also  include  any 
retention  of  Program-related  material.  The  contractor 
will  not  retain  any  Program  information  unless  specif¬ 
ically  authorized  in  writing  by  the  Contracting  Officer. 
Storage  and  control  requirements  of  SAP  materials 
will  be  approved  by  the  PSO. 

5-702.  Destruction.  Appropriflte/y  indoctrinated  per¬ 
sonnel  shall  ensure  the  destruction  of  classified  SAP 
data  The  CSA  or  designee  may  determine  that  two  per¬ 
sons  are  required  for  destruction.  Nonaccountable  waste 
and  unclassified  SAP  material  may  be  destroyed  by  a 
single  Program-briefed  employee. 
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Section  8.  Construction  Requirements 


5-800.  General.  Establishing  a  Special  Access  Pro¬ 
gram  Facility  (SAPF).  Prior  to  commencing  work  on  a 
SAP,  the  contractor  may  be  required  to  establish  an 
approved  SAPF  to  afford  protection  for  Program  classi¬ 
fied  information  and  material.  Memorandums  of  Agree¬ 
ment  (MOA)  are  required  prior  to  allowing  SAPs  with 
different  CSAs  to  share  a  SAPF. 

5-801.  Special  Access  Program  FacUi^. 

a.  A  SAPF  is  a  program  area,  room,  group  of  rooms, 
building,  or  an  enclosed  facility  accredited  by  the 
PSO  where  classified  SAP  Program  business  is  con¬ 
ducted.  SAPFs  will  be  afforded  personnel  access 
control  to  preclude  entry  by  unauthorized  person- 
neL  Non-accessed  persons  entering  a  SAPF  will  be 
escorted  by  an  indoctrinated  person. 

b.  A  Sensitive  Compartmented  Information  Facility 
(SCIF)  is  an  area,  room,  building,  or  installation  that 
is  accredited  to  store,  use,  discuss,  or  electronically 
process  SCI.  The  standard  and  procedures  for  a  SCIF 
are  stated  in  DCIDs  1/19  and  1/21. 

c.  SAPFs  accredited  prior  to  implementation  of  this 
Supplement  will  retain  accreditation  until  no 
longer  required  or  recertification  is  required  due  to 
major  modification  of  the  external  perimeter,  or 
changes  to  the  Intrusion  Detection  System  (IDS), 
which  affects  the  physical  safeguarding  capability 
of  the  facility. 

d.  Physical  security  standards  will  be  stated  in  the 
Government’s  RFP,  RFQ,  contract,  or  other  pre¬ 
contract  or  contractual  document. 

e.  The  need-to-know  (NTK)  of  the  SAP  effort  may 
warrant  establishment  of  multi-compartments  within 
the  same  SAPF. 

f.  *There  may  be  other  extraordinary  or  unique  circum¬ 
stances  where  existing  physical  security  standards 
are  inconsistent  with  facility  operating  requirements, 
for  example,  but  not  limited  to,  research  and  test 
facilities  or  production  lines.  Physical  security 
requirements  under  these  circumstances  will  be 
established  on  a  case-by-case  basis  and  approved 
by  the  PSO/Contracting  Officer,  as  appropriate. 
(Note:  as  approved  by  the  CSA  at  establishment  of 
the  SAP.) 


g.  The  PSO  will  determine  the  appropriate  security 
countermeasures  for  discussion  areas. 

5-802.  Physical  Securi^  Criteria  Standards. 

a.  DQD  1/21  standards  may  apply  to  a  SAPF  when 
one  or  more  of  the  following  criteria  are  applicable; 

(1)  State-of-the-art  technology  as  determined  by 
CSAs  to  warrant  enhanced  protection. 

(2)  Contractor  facility  is  known  to  be  working  on 
specific  critical  technology. 

(3)  Contractor  facility  is  one  of  a  few  (3  or  less) 
known  facilities  to  have  the  capability  to  work 
on  specific  critical  technology. 

(4)  TOP  SECRET  or  SECRET  material  is  main¬ 
tained  in  open  storage. 

(5)  A  SAPF  is  located  within  a  commercial  build¬ 
ing,  and  the  contractor  does  not  control  all  adja- 
cent  spaces. 

(6)  SCI  or  Intelligence  Sources  and  methods  are 
involved. 

(7)  Contractors  or  technologies  known  to  be  a  target 
of  foreign  intelligence  services  (FIS). 

b.  The  NISPOM  baseline  closed  area  construction 
requirements  with  Sound  Transmission  Class  (STC) 
in  accordance  with  DCID  1/21,  Annex  E  and  intru¬ 
sion  alarms  in  accordance  with  Annex  B,  DCID  1/21 
may  apply  to  a  SAPF  when  one  of  the  following  cri¬ 
teria  are  applicable. 

(1)  Not  state-of-the-art  technology  and  the  technol¬ 
ogy  is  known  to  exist  outside  U.S.  Government 
control. 

(2)  The  SAP  is  a  large-scale  weapon  system  pro¬ 
duction  program. 

(3)  No  open  storage  of  Confidential  SAP  material  in 
a  secure  working  area  unless  permitted  by  the 
PSO  on  a  case-by-case  basis. 
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(4)  A  S APF  located  within  a  controlled  access  area. 

(5)  Intelligence  related  activities. 

c.  The  PSO  may  approve  baseline  closed  area  construc¬ 
tion  requirements  as  an  additional  option  for  some 
SAP  program  areas. 

5-803,  SAP  Secure  Working  Area,  The  PSO  may  ap¬ 
prove  any  facility  as  a  SAP  Secure  Working  Area.  Visual 
and  sound  protection  may  be  provided  by  a  mix  of  phys¬ 
ical  construction,  perimeter  control,  guards,  and/or  in¬ 
doctrinated  workers. 

5-804,  Temporary  SAPF.  The  PSO  may  accredit  a  tem¬ 
porary  SAPF. 

5-805,  Guard  Response, 

a.  Response  to  alarms  will  be  in  accordance  with 
DClDl/21,or 

b.  TheNISPOM 

c.  Response  personnel  will  remain  at  the  scene  until 
released  by  the  CPSO  or  designated  representative, 

NOTE:  The  CPSO  will  immediately  provide  not^a- 
tion  to  the  PSO  if  there  is  evidence  of  forced  entry, 
with  a  written  report  to  follow  within  72  hours, 

5-806.  Facility  Accreditation, 

a.  Once  a  facility  has  been  accredited  to  a  stated  level 
by  a  Government  Agency,  that  accreditation  should 
be  accepted  by  any  subsequent  agency. 


b.  For  purposes  of  co-utilization,  costs  associated  with 
any  security  enhancements  in  a  SCIF  or  SAPF  above 
preexisting  measures  may  be  negotiated  for  reim¬ 
bursement  by  the  contractor’s  contracting  officer  or 
designated  representative.  Agreements  will  be  nego¬ 
tiated  between  affected  organizations. 

c.  If  a  previously  accredited  SAPF  becomes  inactive 
foraperiod  not  to  exceed  one  year,  the  SAP  accred¬ 
itation  will  be  reinstated  by  the  gaining  accrediting 
agency  provided  the  following  is  true: 

(1)  The  threat  in  the  environment  surrounding  the 
SAPF  has  not  changed; 

(2)  No  modifications  have  been  made  to  the  SAPF 
which  affect  the  level  of  safeguarding; 

(3)  The  level  of  safeguarding  for  the  new  Program 
is  comparable  to  the  previous  Program; 

(4)  The  SAPF  has  not  lost  its  SAP  accreditation 
integrity  and  the  contractor  has  maintained  con¬ 
tinuous  control  of  the  facility. 

(5)  A  technical  surveillance  countermeasure  survey 
(TSCM)  may  be  required. 

NOTE:  Previously  granted  waivers  are  subject  to  nego¬ 
tiation. 

5-807,  Prohibited  Items.  Items  that  constitute  a  threat 
to  the  security  integrity  of  the  SAPF  (e.g.,  cameras  or 
recording  devices)  are  prohibited  unless  authorized  by 
the  PSO.  AH  categories  of  storage  media  entering  and 
leaving  the  SAPFs  may  require  the  PSO  or  his/her  des¬ 
ignated  representative  approval. 
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Chapter  6 
Visits  and  Meetings 

Section  1.  Visits 


6-100.  General,  A  visit  certification  request  for  all 
Program  visits  will  be  made  prior  to  a  visit  to  a  Pro¬ 
gram  facility.  When  telephone  requests  are  made,  a 
secure  telephone  should  be  used  whenever  possible. 
Visit  requests  will  be  handled  exclusively  by  the  cogni¬ 
zant  CPSO  or  designated  representative.  The  GPM  or 
PSO  or  his/her  designated  representative  will  approve 
all  visits  between  Program  activities.  However,  visits 
between  a  prime  contractor  and  the  primers  subcon¬ 
tractors  and  approved  associates  will  be  approved  by 
the  CPSO.  Twelve-month  visit  requests  are  not  autho¬ 
rized  unless  approved  by  the  PSO. 

6-101.  VisU  Request  Procedures.  All  visit  requests  will 
be  sent  only  via  approved  channels.  In  addition  to  the 
NISPOM,  the  following  additional  information  for  vis¬ 
its  to  a  SAPF  will  include: 

a.  Name  and  telephone  number  of  individual  (not 
organization)  to  be  visited; 

b.  Designation  of  person  as  a  Program  courier  when 
applicable;  and 

c.  Verfication  (e.g.,  signature)  of  the  CPSO  or  desig¬ 
nated  representative  that  the  visit  request  informa¬ 
tion  is  correct. 

6-102.  Termination  and/or  Cancellation  of  a  VisU 
Request.  If  a  person  is  debriefed  from  the  Program 
prior  to  expiration  of  a  visit  certification,  or  if  cancel¬ 
lation  of  a  current  visit  certification  is  otherwise 
appropriate,  the  CPSO/FSO  or  his/her  designated  rep¬ 
resentative  will  immediately  notify  all  recipients  of  the 
cancellation  or  termination  of  the  visit  request. 

6-103,  Visit  Procedures, 

a.  Identification  of  Visitors,  An  official  photograph 
if  identification  such  as  a  valid  driver*s  license  is 
required. 

b.  Extension,  When  a  visit  extends  past  the  date  on  the 
visit  certification,  a  new  visit  request  is  not  required 
if  the  purpose  remains  the  same  as  that  stated  on  the 
current  visit  request  to  a  specific  SAPF, 


c.  Rescheduling.  When  a  rescheduled  visit  occurs  after 
a  visit  request  has  been  received,  the  visit  certification 
will  automatically  apply  if  the  visit  is  rescheduled 
within  thirty  days  and  the  purpose  remains  the  same. 

d.  Hand -carrying.  It  is  the  responsibility  of  the  host 
CPSO  to  contact  the  visitor’s  CPSO  should  the  visi¬ 
tor  plan  to  hand-carry  classified  material.  CPSOs 
will  use  secure  means  for  notification.  In  emer¬ 
gency  situations  where  secure  communications  are 
not  available,  contact  the  PSO  for  instructions. 
When  persons  return  to  their  facility  with  SAP 
material,  they  will  relinquish  custody  of  the  mate¬ 
rial  to  the  CPSO  or  designated  representative. 
Arrangements  will  be  made  to  ensure  appropriate 
overnight  storage  and  protection  for  material 
returned  after  close  of  business. 

6-104,  Collateral  Clearances  and  Special  Access  Pro¬ 
gram  Visit  Requests,  Collateral  clearances  and  SAP 
accesses  may  be  required  in  conjunction  with  the  SAP 
visit.  If  access  to  collateral  classified  information  is 
required  outside  the  SAPF,  then  the  CPSO  can  certify 
clearances  and  accesses  as  required  within  the  facility. 
Certification  will  be  based  on  the  SAP  visit  request 
received  by  the  CPSO.  The  CPSO  will  maintmn  the 
record  copy  of  the  visit  certification.  SCI  visit  certifica¬ 
tion  will  be  forwarded  through  appropriate  SCI  channels. 

6-105.  Non-Program-Briefed  Visitors,  In  instances 
where  entry  to  a  SAPF  by  non-Program-briefed  per¬ 
sonnel  is  required  (e.g.,  maintenance,  repair),  they  will 
complete  and  sign  a  visitor's  record  and  will  be 
escorted  by  a  Program-briefed  person  at  all  times.  San- 
itizjation  procedures  will  be  implemented  in  advance  to 
ensure  that  personnel  terminate  classified  discussions 
and  other  actions  and  protect  SAP  information  when¬ 
ever  a  non-briefed  visitor  is  in  the  area.  If  mainte¬ 
nance  is  required  of  a  classified  device,  the  uncleared 
maintenance  person  shall  be  escorted  by  a  Program- 
briefed,  technically  knowledgeable  individual  Every 
effort  should  be  made  to  have  a  technically  knowledge¬ 
able  Program-briefed  person  as  an  escort. 
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6-106.  Visitor  Record.  *The  PSO  may  require  the 
CPSO  to  establish  a  Program  visitor’s  record.  This 
record  will  be  maintained  inside  the  SAPFy  and  reten¬ 
tion  may  be  required. 
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Section  2.  Meetings 


(not  further  supplemented) 


\ 
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Chapter  7 
Subcontracting 

Section  1.  Prime  Contracting  Responsibilities 


7-100,  General,  This  section  addresses  the  responsibili¬ 
ties  and  authorities  of  prime  contractors  concerning  the 
release  of  classified  SAP  information  to  subcontractors. 
Prior  to  any  release  of  classified  information  to  a  pro¬ 
spective  subcontractor,  the  prime  contractor  will  deter¬ 
mine  the  scope  of  the  bid  and  procurement  effort.  Prime 
contractors  will  use  extreme  caution  when  conducting 
business  with  non-Program-briefed  subcontractors  to 
preclude  the  release  of  information  that  would  divulge 
Program-related  (classified  or  unclassified  Program  sen¬ 
sitive)  information. 

7-101.  Determining  Clearance  Status  of  Prospective 
Subcontractors,  All  prospective  subcontractor  person- 
nel  will  have  the  appropriate  security  clearance  and 
meet  the  investigative  criteria  as  specified  in  this  Sup¬ 
plement  prior  to  being  briefed  into  a  SAP.  The  eligibil¬ 
ity  criteria  will  be  determined  in  accordance  with  the 
NISPOM  and  this  Supplement.  For  acknowledged  Pro¬ 
grams,  in  the  event  a  prospective  subcontractor  does  not 
have  the  appropriate  security  clearances,  the  prime  con¬ 
tractor  will  request  that  the  cognizant  PSO  initiate  the 
appropriate  security  clearance  action.  A  determination 
will  be  made  in  coordination  with  the  PSO  as  to  the  lev¬ 
els  of  facility  clearance  a  prospective  subcontractor 
facility  has  for  access  to  classified  information  and  the 
storage  capability  level. 

7-102.  Security  Agreements  and  Briefings.  In  the  pre¬ 
contract  phase,  die  prime  contractor  will  fully  advise  the 
prospective  subcontractor  (prior  to  any  release  of  SAP 
information)  of  the  procurements  enhanced  special 
security  requirements.  Arrangements  for  subcontractor 
Program  access  will  be  pre-coordinated  with  the  PSO. 
When  approved  by  the  PSO,  the  prime  contractor  CPSO 
will  provide  Program  indoctrinations  and  obtain  NDAs 
from  the  subcontractors.  A  security  requirements  agree¬ 
ment  will  be  prepared  that  specifically  addresses  those 
enhanced  security  requirements  that  apply  to  the  sub¬ 
contractor.  The  security  requirements  agreement  may 
include  the  following  elements,  when  applicable: 

a.  General  Security  Requirements. 


b.  Reporting  Requirements. 

c.  Physical  and/or  Technical  Security  Requirements. 

d.  Release  of  Information. 

e.  Program  Classified  Control  or  Accountability. 

f.  Personnel  Access  Controls. 

g.  Security  Classification  Guidance. 

h.  Automated  Information  System, 

i.  Security  Audits  and  Reviews. 

j.  Program  Access  Criteria, 

k.  Subcontracting. 

l.  Transmittal  of  Program  Material. 

m.  Storage. 

n.  Testing  and/or  Manufacturing. 

o .  Program  Travel , 

p.  Finances. 

q.  Sanitization  of  Classified  Material. 

r.  Security  Costs  and  Charging  Policy. 

s.  Fraud,  Waste,  and  Abuse  Reporting. 

t.  Test  Planning. 

u.  OPSEC. 

V.  TEMPEST. 


7-1-1 


7-103.  Transmitting  Security  Requirements. 

Contract  Security  Classification  Specifications  pre¬ 
pared  by  the  prime  contractor  will  be  coordinated  with 
the  GPM/PSO  and  contracting  officer  prior  to  transmit¬ 
ting  to  the  subcontractor.  Contract  Security  Classifica¬ 
tion  Specifications  prepared  by  the  prime  contractor  will 
be  forwarded  to  ihe  GPM/PSO  and  contracting  officer 
for  coordination  and  signature. 
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Chapter  8 

Automated  Information  Systems  (AIS) 

Section  1.  Responsibilities 


8-100.  Introduction 

a.  Purpose  and  Scope.  This  chapter  addresses  the  pro¬ 
tection  and  control  of  information  processed  on  AIS. 
This  entire  chapter  is  contractor  required  and  is  not 
an  option.  The  type  is  not  bold  or  italicized,  because 
it  would  include  the  complete  chapter,  AISs  typi¬ 
cally  consist  of  computer  hardware,  software,  and/or 
firmware  configured  to  collect,  create,  communicate, 
compute,  disseminate,  process,  store,  or  control  data 
or  information.  This  chapter  specifies  requirements 
and  assurances  for  the  implementation,  operation, 
maintenance,  and  management  of  secure  AIS  used  in 
support  of  SAP  activities.  Prior  to  using  an  AIS  or 
AIS  network  for  processing  U.S.  Government,  Cus¬ 
tomer,  or  Program  information,  the  Contractor/  Pro¬ 
vider  will  develop  an  AIS  Security  Plan  (AISSP)  as 
described  herein  and  receive  written  Customer 
authorization  to  process  Customer  information.  Such 
authorization  to  process  requires  approval  by  the 
Customer.  The  Provider  will  also  assign  an  Informa¬ 
tion  System  Security  Representative  (ISSR)  to  sup¬ 
port  the  preparation  of  these  documents  and  to 
subsequently  manage  AIS  security  on-site  for  the 
Customer’s  program.  After  the  AISSP  is  approved  by 
the  Customer,  the  Provider  will  thereafter  conform  to 
the  plan  for  all  actions  related  to  the  Customer's  pro¬ 
gram  information.  This  information  includes  the 
selection,  installation,  test,  operation,  maintenance, 
and  modification  of  AIS  facilities,  hardware,  soft¬ 
ware,  media,  and  output, 

b.  Requirements.  The  AISSP  selected  menu  upgrades 
to  the  NISPOM  baseline  will  be  tailored  to  the  Pro¬ 
vider's  individual  AIS  configuration  and  processing 
operations.  Alternatives  to  the  protective  measures  in 
this  Supplement  may  be  approved  by  the  Customer 
after  the  Provider  demonstrates  that  the  alternatives 
are  reasonable  and  necessary  to  accommodate  the 
Customer's  needs.  Prior  to  implementation,  the  Pro¬ 
vider  will  coordinate  any  envisioned  changes  or 
enhancements  with  the  Customer.  Approved  changes 
will  be  included  in  the  AISSP.  Any  verbal  approvals 
will  subsequently  be  documented  in  writing.  The 
information  and  guidance  needed  to  prepare  and 
obtain  approval  for  the  AISSP  is  described  herein. 


c.  Restrictions.  No  personally  owned  AISs  will  be  used 
to  process  classified  information. 

8-101.  Responsibilities. 

The  Customer  is  the  Government  organization  responsi¬ 
ble  for  sponsoring  and  approving  the  classified  and/or 
unclassified  processing.  The  Provider  is  the  Contractor 
who  is  responsible  for  accomplishing  the  processing  for 
the  Customer.  The  Information  System  Security  Repre¬ 
sentative  (ISSR)  is  the  Provider-assigned  individual 
responsible  for  on-site  AIS  processing  for  the  Customer 
in  a  secure  manner. 

a.  Provider  Responsibilities.  The  Provider  will  take 
those  actions  necessary  to  meet  with  the  policies  and 
requirements  outlined  in  this  document.  The  pro¬ 
vider  will: 

(1)  Publish  and  promulgate  a  corporate  AIS  Secu¬ 
rity  Policy  that  addresses  the  classified  process¬ 
ing  environment. 

(2)  Designate  an  individual  to  act  as  the  ISSR. 

(3)  Incorporate  AISs  processing  Customer  informa¬ 
tion  as  part  of  a  configuration  management  pro¬ 
gram. 

(4)  Enforce  the  AIS  Security  Policy. 

b.  ISSR  Responsibilities.  The  Provider-designated 
ISSR  has  the  following  responsibilities: 

( 1 )  AIS  Security  Policy.  Implement  the  AIS  Secu¬ 
rity  Policy. 

(2)  AIS  Security  Program.  Coordinate  the  establish¬ 
ment  and  maintenance  of  a  formal  AIS  Security 
Program  to  ensure  compliance  with  this  docu¬ 
ment: 

(a)  AIS  Security  Plan  (AISSP).  Coordinate  the 
preparation  of  an  AISSP  in  accordance 
with  the  outline  and  instructions  provided 
in  this  document.  After  Customer 


8-1-1 


approval,  the  AISSP  becomes  the  control¬ 
ling  security  document  for  AIS  processing 
Customer  information.  Changes  affecting 
the  security  of  the  AIS  must  be  approved 
by  the  Customer  prior  to  implementation 
and  documented  in  the  AISSP. 

(b) AIS  Technical  Evaluation  Test  Plans,  For 
systems  operating  in  the  compartmented  or 
multi-level  modes,  prepare  an  AIS  Techni¬ 
cal  Evaluation  Test  Plan  in  coordination 
with  the  Customer  and  applicable  security 
documents. 

(c)  Certification.  Conduct  a  certification  test 
in  accordance  with  8-102,  c.  and  provide  a 
certification  report. 

(d)  Continuity  of  Operations  Plan  (COOP). 
When  contractually  required,  coordinate 
the  development  and  maintenance  of  an 
AIS  COOP  to  ensure  the  continuation  of 
information  processing  capability  in  the 
event  of  an  AlS-related  disaster  resulting 
from  fire,  flood,  malicious  act,  human 
error,  or  any  other  occurrence  that  might 
adversely  impact  or  threaten  to  impact  the 
capability  of  the  AIS  to  process  informa¬ 
tion.  This  plan  will  be  referenced  in  the 
AISSP. 

(e)  Documentation.  Ensure  that  all  AIS  secu¬ 
rity-related  documentation  as  required  by 
this  chapter  is  current  and  is  accessible  to 
properly  authorized  individuals. 

(f)  Customer  Coordination.  Coordinate  all 
reviews,  tests,  and  AIS  security  actions. 

(g) Auditing.  Ensure  that  the  required  audit 
trails  are  being  collected  and  reviewed  as 
stated  in  8-303. 

(h)  Memorandum  of  Agreement.  As  applica¬ 
ble,  ensure  that  Memoranda  of  Agreement 
are  in  place  for  AISs  supporting  multiple 
Customers, 

(i)  Compliance  Monitoring.  Ensure  that  the 
system  is  operating  in  compliance  with  the 
AISSP. 

(j)  AIS  Security  Education  and  Awareness. 
Develop  an  on-going  AIS  Security  Educa¬ 
tion  and  Awareness  Program. 


(k)  Abnormal  Occurrence.  Advise  Customer 
in  a  timely  manner  of  any  abnormal  event 
that  affects  the  security  of  an  approved 
AIS. 

(l)  Virus  and  malicious  code.  Advise  Cus¬ 
tomer  in  a  timely  manner  of  any  virus  and 
malicious  code  on  an  approved  AIS. 

(3)  Configuration  Management.  Participate  in  the 
configuration  management  process. 

(4)  Designation  of  Alternates.  The  ISSR  may  desig¬ 
nate  alternates  to  assist  in  meeting  the  require¬ 
ments  outlined  in  the  chapter. 

c.  Special  Approval  Authority.  In  addition  to  the 

above  responsibilities,  the  Customer  may  authorize 

in  writing  an  ISSR  to  approve  specific  AIS  security 

actions  including: 

(1)  Equipment  Movement.  Approve  and  document 
the  movement  of  AIS  equipment. 

(2)  Component  Release.  Approve  the  release  of  san¬ 
itized  components  and  equipment  in  accordance 
with  Tables  1  and  2  in  8-501. 

(3)  Stand-alone  Workstation  and  Portable  AIS 
Approval.  Approve  and  document  new  worksta¬ 
tions  in  accordance  with  an  approved  AIS  secu¬ 
rity  plan  and  the  procedures  defined  in  this 
document  for  workstations  with  identical  func¬ 
tionality.  Approve  and  document  portable  AIS. 

(4)  Dedicated  and  System  High  Network  Worksta¬ 
tion  Approval.  Approve  and  document  addi¬ 
tional  workstations  identical  in  functionality  to 
existing  workstations  on  an  approved  Local 
Area  Network  (LAN)  provided  the  workstations 
are  not  located  outside  of  the  previously  defined 
boundary  of  the  LAN. 

(5)  Other  AIS  Component  Approval.  Approve  and 
document  other  AIS  components  identical  in 
functionality  to  existing  components  on  an 
approved  LAN  provided  the  components  are  not 
located  outside  of  the  previously  defined  bound¬ 
ary  of  the  LAN. 

8-102.  Approval  To  Process. 

Prior  to  using  any  AIS  to  process  Customer  information, 
approval  will  be  obtained  from  the  Customer.  The  fol¬ 
lowing  requirements  will  be  met  prior  to  approval. 
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a.  AIS  Security  Program.  The  Provider  will  have  an 
AJS  security  program  that  includes: 

(1)  An  AIS  security  policy  and  a  formal  AIS  secu¬ 
rity  structure  to  ensure  compliance  with  the 
guidelines  specified  in  this  document; 

(2)  An  individual  whose  reporting  functionalities 
are  within  the  Provider’s  security  organization 
formally  named  to  act  as  the  ISSR; 

(3)  The  incorporation  of  AISs  processing  Customer 
information  into  the  Provider’s  configuration 
management  program.  The  Provider's  configura¬ 
tion  management  program  shall  manage 
changes  to  an  AJS  throughout  its  life  cycle.  As  a 
minimum  the  program  will  manage  changes  in 
an  AIS's: 

(a)  Hardware  components  (data  retentive 
only) 

(b)  Connectivity  (external  and  internal) 

(c)  Firmware 

(d)  Software 

(e)  Security  features  and  assurances 
(0  AISSP 

(g)  Test  Plan 

(4)  Control.  Each  AIS  will  be  assigned  to  a  desig¬ 
nated  custodian  (and  alternate  custodian)  who  is 
responsible  for  monitoring  the  AIS  on  a  continu¬ 
ing  basis.  The  custodian  will  ensure  that  the 
hardware,  installation,  and  maintenance  as 
applicable  conform  to  appropriate  requirements. 
The  custodian  will  also  monitor  access  to  each 
AIS.  Before  giving  users  access  to  any  such 
AIS,  the  custodian  will  have  them  sign  a  state¬ 
ment  indicating  their  awareness  of  the  restric¬ 
tions  for  using  the  AIS.  These  statements  will  be 
maintained  on  file  and  available  for  review  by 
the  ISSR. 

b.  AIS  Security  Plan  (AISSP).  The  Provider  will  pre¬ 
pare  and  submit  an  AISSP  covering  AISs  processing 
information  in  a  Customer’s  Special  Access  Program 
Facility  (SAPF),  following  the  format  in  Appendix 
C.  For  RD,  the  Customer  may  modify  the  AISSP  for¬ 
mat 


c.  AIS  Certification  and  Accreditation. 

( 1 )  Certification.  Certification  is  the  comprehensive 
evaluation  of  technical  and  non-technical  secu¬ 
rity  features  to  establish  the  extent  to  which  an 
AIS  has  met  the  security  requirements  necessary 
for  it  to  process  the  Customer  information.  Cer¬ 
tification  precedes  the  accreditation.  The  certifi¬ 
cation  is  based  upon  an  inspection  and  test  to 
verify  that  the  AISSP  accurately  describes  the 
AIS  configuration  and  operation  (See  Appendix 
C  and  D).  A  Certification  Report  summarizing 
the  following  will  be  provided  to  the  Customer: 

(a)  For  the  dedicated  mode  of  operation,  the 
provider  must  verify  that  access  controls, 
configuration  management,  and  other 
AISSP  procedures  are  functional. 

(b) In  addition,  for  System  High  AIS  the  ISSR 
will  verify  that  discretionary  controls  are 
implemented. 

(c) For  compartmented  and  multilevel  AIS, 
certification  also  involves  testing  to  verify 
that  technical  security  features  required  for 
the  mode  of  operation  are  functional.  Com¬ 
partmented  and  multi-level  AIS  must  have 
a  Technical  Evaluation  Test  Plan  that 
includes  a  detailed  description  of  how  the 
implementation  of  the  operating  system 
software,  data  management  system  soft¬ 
ware,  firmware,  and  related  security  soft¬ 
ware  packages  will  enable  the  AIS  to  meet 
the  Compartmented  or  Multilevel  Mode 
requirements.  The  plan  outlines  the  inspec¬ 
tion  and  test  procedures  to  be  used  to  dem¬ 
onstrate  this  compliance. 

(2)  Accreditation.  Accreditation  is  the  formal  decla¬ 
ration  by  the  Customer  that  a  classified  AIS  or 
network  is  approved  to  operate  in  a  particular 
security  mode;  with  a  prescribed  set  of  technical 
and  non-technical  security  features;  against  a 
defined  threat;  in  a  given  operational  environ¬ 
ment;  under  a  stated  operational  concept;  with 
stated  interconnections  to  other  AJS;  and  at  an 
acceptable  level  of  risk.  The  accreditation  deci¬ 
sion  is  subject  to  the  certification  process.  Any 
changes  to  the  accreditation  criteria  described 
above  may  require  a  new  accreditation. 

d.  Interim  Approval.  The  Customer  may  grant  an 
interim  approval  to  operate. 
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e.  Withdrawal  of  Accreditation.  The  Customer  may 
withdraw  accreditation  if: 

(1)  The  security  measures  and  controls  established 
and  approved  for  the  AIS  do  not  remain  effec¬ 
tive. 

(2)  The  AIS  is  no  longer  required  to  process  Cus¬ 
tomer  information. 

f.  Memorandum  of  Agreement  A  Memorandum  of 
Agreement  (MO A)  is  required  whenever  an  accred¬ 
ited  AIS  is  co-utilized,  interfaced,  or  networked 
between  two  or  more  Customers.  This  document  will 
be  included,  as  required,  by  the  Customer. 

g.  Procedures  for  Delegated  Approvals.  For  AISs 
operating  in  the  dedicated  or  system  high  modes,  the 
Customer  may  delegate  special  approval  authority  to 
the  ISSR  for  additional  AISs  that  are  identical  in 
design  and  operation.  That  is:  two  or  more  AIS  are 
identical  in  design  and  operate  in  the  same  security 
environment  (same  mode  of  operation,  process  infor¬ 
mation  with  the  same  sensitivities,  and  require  the 
same  accesses  and  clearances,  etc).  Under  these  con¬ 
ditions  the  AISSP  in  addition  to  containing  the  infor¬ 
mation  required  by  Appendix  C  shall  also  include 
the  certification  requirements  (inspection  and  tests) 
and  procedures  that  will  be  used  to  accredit  all  AISs. 
The  CSA  will  validate  that  the  certification  require¬ 
ments  are  functional  by  accrediting  the  first  AIS 
using  these  certification  requirements  and  proce¬ 
dures.  The  ISSR  may  allow  identical  AJS  to  operate 
under  that  accreditation  if  the  certification  proce¬ 
dures  are  followed  and  the  AIS  meets  all  the  certifi¬ 
cation  requirements  outline  in  the  AISSR  The  AISSP 
will  be  updated  with  the  identification  of  the  newly 
accredited  AIS  and  a  copy  of  each  certification 
report  will  be  kept  on  file. 


8-103.  Security  Reviews. 

a.  Purpose.  Customer  AIS  Security  Reviews  are  con¬ 
ducted  to  verify  that  the  Provider’s  AIS  is  operated  in 
accordance  with  the  approved  AISSP. 

b.  Scheduling.  Customer  AIS  Reviews  are  normally 
scheduled  at  least  once  every  24  months  for  Provider 
systems  processing  Customer  program  information. 
The  Customer  will  establish  specific  review  sched¬ 
ules. 

c.  Review  Responsibilities.  During  the  scheduled 
Customer  AIS  Security  Review,  the  Provider  will 
furnish  the  Customer  representative  conducting  the 
Review  with  all  requested  AIS  or  network  documen¬ 
tation.  Appropriate  Provider  security,  operations,  and 
management  representatives  will  be  made  available 
to  answer  questions  that  arise  during  the  Customer 
AIS  Review  process. 

d.  Review  Reporting.  At  the  conclusion  of  the  Cus¬ 
tomer  AIS  keview  visit,  the  Customer  will  brief  the 
Provider's  appropriate  security,  operations,  and  man¬ 
agement  representatives  on  the  results  of  the  Review 
and  of  any  discrepancies  discovered  and  the  recom¬ 
mend  measures  for  correcting  the  security  deficien¬ 
cies,  A  formal  report  of  the  Customer  AJS  Review  is 
provided  to  the  Provider's  security  organization  no 
later  than  30  days  after  the  Review. 

e.  Corrective  Measures.  The  Provider  will  respond  to 
the  Customer  in  writing  within  30  days  of  receipt  of 
the  formal  report  of  deficiencies  found  in  the  Cus¬ 
tomer  AIS  Review  process.  The  response  will 
describe  the  actions  taken  to  correct  the  deficiencies 
outlined  in  the  formal  report  of  Customer  AIS 
Review  findings.  If  proposed  actions  will  require  an 
expenditure  in  funds,  approval  will  be  obtained  from 
the  Contracting  Officer  prior  to  implementation. 
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Section  2.  Security  Modes 


8-200.  Security  Modes-General. 

a  AISs  that  process  classified  information  must  oper¬ 
ate  in  the  dedicated,  system  high,  compartmented,  or 
multilevel  mode.  Security  modes  are  authorized  vari¬ 
ations  in  security  environments,  requirements,  and 
methods  of  operating.  In  all  modes,  the  integration  of 
automated  and  conventional  security  measures  shall, 
with  reasonable  dependability,  prevent  unauthorized 
access  to  classified  information  during,  or  resulting 
from,  the  processing,  storage,  or  transmission  of 
such  information,  and  prevent  unauthorized  manipu¬ 
lation  of  the  AIS  that  could  result  in  the  compromise 
or  loss  of  classified  information. 

b.  In  determining  the  mode  of  operation  of  an  AIS, 
three  elements  must  be  addressed:  the  boundary  and 
perimeter  of  the  AIS,  the  nature  of  the  data  to  be  pro¬ 
cessed,  and  the  level  and  diversity  of  access  privi¬ 
leges  of  intended  users.  Specifically: 

(1)  The  boundary  of  an  AIS  includes  all  users  that 
are  directly  or  indirectly  connected  and  who  can 
receive  data  from  the  AIS  without  a  reliable 
human  review  by  an  appropriately  cleared 
authority.  The  perimeter  is  the  extent  of  the  AIS 
that  is  to  be  accredited  as  a  single  entity. 

(2)  The  nature  of  data  is  defined  in  terms  of  its  clas¬ 
sification  levels,  compartments,  subcompart¬ 
ments,  and  sensitivity  levels. 

(3)  The  level  and  diversity  of  access  privileges  of  its 
users  are  defined  as  their  clearance  levels,  need- 
to-know,  and  formal  access  approvals. 

8-201.  Dedicated  Security  Mode. 

a.  An  AIS  is  operating  in  the  dedicated  mode  (process¬ 
ing  either  full  time  or  for  a  specified  period)  when 
each  user  with  direct  or  indirect  access  to  the  AIS,  its 
peripherals,  remote  terminals,  or  remote  hosts  has  all 
of  the  following: 

(1)  A  valid  personnel  clearance  for  all  information 
stored  or  processed  on  the  AIS, 

(2)  Formal  access  approvals  and  has  executed  all 
appropriate  non-disclosure  agreements  for  all  the 
information  stored  and/or  processed  (including  all 
compartments,  subcompartments,  and/or  SAPs). 


(3)  A  valid  need  to  know  for  all  information  stored 
on  or  processed  within  the  AIS. 

b.  The  following  security  requirements  are  established 

for  AISs  operating  in  the  dedicated  mode: 

(1)  Be  located  in  a  S APR 

(2)  Implement  and  enforce  access  procedures  to  the 
AIS. 

(3)  All  hard  copy  output  will  be  handled  at  the  level 
for  which  the  system  is  accredited  until 
reviewed  by  a  knowledgeable  individual. 

(4)  All  media  removed  from  the  system  will  be  pro¬ 
tected  at  the  highest  classification  level  of  infor¬ 
mation  stored  or  processed  on  the  system  until 
reviewed  and  properly  marked  according  to  pro¬ 
cedures  in  the  AIS  security  plan. 

c.  Security  Features  for  Dedicated  Security  Mode. 

(1)  Since  the  system  is  not  required  to  provide  tech¬ 

nical  security  features,  it  is  up  to  the  user  to  pro¬ 
tect  the  information  on  the  system.  For  networks 
operating  in  the  dedicated  mode,  automated 
identification  and  authentication  controls  are 
required. 

(2)  For  DoD,  the  Customer  may  require  audit 
records  of  user  access  to  the  system.  Such 
records  will  include:  user  ID,  start  date  and 
time,  and  stop  date  and  time.  Logs  will  be  main¬ 
tained  lAW  8-303. 

d.  Security  Assurances  for  Dedicated  Security 

Mode. 

(1)  AIS  security  assurances  must  include  an 
approach  for  specifying,  documenting,  control¬ 
ling,  and  maintaining  the  integrity  of  all  appro¬ 
priate  AIS  hardware,  firmware,  software, 
communications  interfaces,  operating  proce¬ 
dures,  installation  structures,  security  documen¬ 
tation,  and  changes  thereto. 

(2)  Examination  of  Hardware  and  Software.  Classi¬ 
fied  AIS  hardware  and  software  shall  be  exam¬ 
ined  when  received  from  the  vendor  and  before 
being  placed  into  use. 
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(a)  Classified  AIS  Hardware.  An  examination 
shall  result  in  assurance  that  the  equipment 
appears  to  be  in  good  working  order  and 
have  no  parts  that  might  be  detrimental  to 
the  secure  operation  of  the  resource.  Sub¬ 
sequent  changes  and  developments  which 
affect  security  may  require  additional 
examination. 

(b)  Classified  AIS  Software. 

1 .  Commercially  procured  software  shall  be 
examined  to  assure  that  the  software  con¬ 
tains  no  features  which  might  be  detri¬ 
mental  to  the  security  of  the  classified 
AIS, 

2.  Security-related  software  shall  be  exam¬ 
ined  to  assure  that  the  security  features 
function  as  specified. 

(c)  Custom  Software  or  Hardware  Systems. 
New  or  significantly  changed  security  rele¬ 
vant  software  and  hardware  developed  spe¬ 
cifically  for  the  system  shall  be  subject  to 
testing  and  review  at  appropriate  stages  of 
development. 

8-202.  System  High  Security  Mode, 

a.  An  AIS  is  operating  in  the  system  high  mode  (pro¬ 
cessing  either  full  time  or  for  a  specified  period) 
when  each  user  with  direct  or  indirect  access  to  the 
AIS,  its  peripherals,  remote  terminals,  or  remote 
hosts  has  all  of  the  following: 

(1)  A  valid  personnel  clearance  for  all  information 
on  the  AIS. 

(2)  Formal  access  approval  and  has  signed  non-dis¬ 
closure  agreements  for  all  the  information  stored 
and/or  processed  (including  all  compartments 
and  subcompartments). 

(3)  A  valid  need-to-know  for  some  of  the  informa¬ 
tion  contained  within  the  system, 

b.  AISs  operating  in  the  system  high  mode,  in  addition 
to  meeting  all  of  the  security  requirements,  features, 
and  assurances  established  for  the  dedicated  mode, 
will  meet  the  following: 

(1)  Security  Features  for  System  High  Mode 


(a)  Define  and  control  access  between  system 
users  and  named  objects  (e.g.,  files  and 
programs)  in  the  AIS.  The  enforcement 
mechanism  must  allow  system  users  to 
specify  and  control  the  sharing  of  those 
objects  by  named  individuals  and/or 
explicitly  defined  groups  of  individuals. 
The  access  control  mechanism  must,  either 
by  explicit  user  action  or  by  default,  pro¬ 
vide  that  all  objects  are  protected  from 
unauthorized  access  (discretionary  access 
control).  Access  permission  to  an  object  by 
users  not  already  possessing  access  per¬ 
mission  must  only  be  assigned  by  autho¬ 
rized  users  of  the  object. 

(b) Time  Lockout.  Where  technically  feasible, 
the  AIS  shall  time  lockout  an  interactive 
session  after  an  interval  of  user  inactivity. 
The  time  interval  and  restart  requirements 
shall  be  specified  in  the  AIS  Security  Plan. 

(c)  Audit  Trail.  Provide  an  audit  trail  capabil¬ 
ity  that  records  time,  date  user  ID,  terminal 
ID  (if  applicable),  and  file  name  for  the 
following  events: 

1 .  Introduction  of  objects  into  a  user's 
address  space  (e.g.,  file  open  and  pro¬ 
gram  initiation  as  determined  by  the  Cus¬ 
tomer  and  ISSR). 

2.  Deletion  of  objects  (e.g.,  as  determined 
by  the  Customer  and  ISSR). 

3.  System  log-on  and  log-off. 

4.  Unsuccessful  access  attempts. 

(d)  Require  that  memory  and  storage  contain 
no  residual  data  from  the  previously  con¬ 
tained  object  before  being  assigned,  allo¬ 
cated,  or  reallocated  to  another  subject. 

(e)  Identification  Controls.  Each  person  having 
access  to  a  classified  AIS  shall  have  the  proper 
security  clearances  and  authorizations  and  be 
uniquely  identified  and  authenticated  before 
access  to  the  classified  AIS  is  permitted.  The 
identification  and  authentication  methods  used 
shall  be  specified  and  approved  in  the  AIS 
Security  Plan.  User  access  controls  in  classi¬ 
fied  AISs  shall  include  authorization,  user 
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in  the  AIS  Security  Plan.  User  access  controls 
in  classified  AISs  shall  include  authorization, 
user  identification,  and  authentication  admin¬ 
istrative  controls  for  assigning  these  shall  be 
covered  in  the  AISSR 

L  User  Authorizations.  The  manager  or 
supervisor  of  each  user  of  a  classified 
AIS  shall  determine  the  required  authori¬ 
zations,  such  as  need-to-know,  for  that 
user. 

2.  User  Identification.  Each  system  user 
shall  have  a  unique  user  identifier  and 
authenticator. 

a.  User  ID  Removal.  The  ISSR  shall 
ensure  the  development  and  imple¬ 
mentation  of  procedures  for  the 
prompt  removal  of  access  from  the 
classified  AIS  when  the  need  for 
access  no  longer  exists. 

b.  User  ID  Revalidation.  The  AIS 
ISSR  shall  ensure  that  all  user  IDs 
are  revalidated  at  least  annually,  and 
information  such  as  sponsor  and 
means  of  off-line  contact  (e.g., 
phone  number,  mailing  address)  are 
updated  as  necessary. 

(f)  Authentication.  Each  user  of  a  classified 
AIS  shall  be  authenticated  before  access  is 
permitted.  This  authentication  can  be 
based  on  any  one  of  three  types  of  infor¬ 
mation:  something  the  person  knows  (e.g., 
a  password);  something  the  person  pos¬ 
sesses  (e.g.,  a  card  or  key);  something 
about  the  person  (e.g.,  fingerprints  or 
voiceprints);  or  some  combination  of  these 
three.  Authenticators  that  are  passwords 
shall  be  changed  at  least  every  six  months. 

1.  Requirements. 

a.  Log-on.  Users  shall  be  required  to 
authenticate  their  identities  at  “log¬ 
on”  time  by  supplying  their  authen¬ 
ticator  (e.g.,  password,  smart  card, 
or  fingerprints)  in  conjunction  with 
their  user  ID. 


b.  Protection  of  Authenticator.  An 
Authenticator  that  is  in  the  form  of 
knowledge  or  possession  (password, 
smart  card,  keys)  shall  not  be  shared 
with  anyone.  Authenticators  shall  be 
protected  at  a  level  commensurate 
with  the  accreditation  level  of  the 
Classified  AIS. 

2.  Additional  Authentication  Countermea¬ 
sures.  Where  the  operating  system  pro¬ 
vides  the  capability,  the  following 
features  shall  be  implemented: 

a.  Log-on  Attempt  Rate.  Successive 
log-on  attempts  shall  be  controlled 
by  denying  access  after  multiple 
(maximum  of  five)  unsuccessful 
attempts  on  the  same  user  ID;  by 
limiting  the  number  of  access 
attempts  in  a  specified  time  period; 
by  the  use  of  a  time  delay  control 
system;  or  other  such  methods,  sub¬ 
ject  to  approval  by  the  Customer, 

b.  Notification  to  the  User.  The  user 
shall  be  notified  upon  successful 
log-on  of:  the  date  and  time  of  the 
user's  last  log-on;  the  ID  of  the  ter¬ 
minal  used  at  last  log-on;  and  the 
number  of  unsuccessful  log-on 
attempts  using  this  user  ID  since  the 
last  successful  log-on.  This  notice 
shall  require  positive  action  by  the 
user  to  remove  the  notice  from  the 
screen. 

(g)The  audit,  identification,  and  authentica¬ 
tion  mechanisms  must  be  protected  from 
unauthorized  access,  modification,  or  dele¬ 
tion, 

c.  Security  Assurances  for  System 
High  Mode.  The  system  security 
features  for  need-to-know  controls 
will  be  tested  and  verified.  Identi¬ 
fied  flaws  will  be  corrected. 


a.  An  AIS  is  operating  in  the  compartmented  mode 
when  users  with  direct  or  indirect  access  to  the  AIS, 


8-203*  Compartmented  Security  Mode* 


8-2-3 


its  peripherals,  or  remote  terminals  have  all  of  the 
following: 

(1)  A  valid  personnel  clearance  for  access  to  the 
most  restricted  information  processed  in  the 
AIS. 

(2)  Formal  access  approval  and  have  signed  nondis¬ 
closure  agreements  for  that  information  to  which 
he/she  is  to  have  access  (some  users  do  not  have 
formal  access  approval  for  all  compartments  or 
subcompartments  processed  by  the  AIS.) 

(3)  A  valid  need-to-know  for  that  information  for 
which  he/she  is  to  have  access. 

b.  Security  Features  for  Compartmented  Mode.  In 
addition  to  all  Security  Features  and  Security  Assur¬ 
ances  required  for  the  System  High  Mode  of  Opera¬ 
tion,  Classified  AIS  operating  in  the  Compartmented 
Mode  of  Operation  shall  also  include: 

(1)  Resource  Access  Controls. 

(a)  Security  Labels.  The  Classified  AIS  shall 
place  security  labels  on  all  entities  (e.g., 
files)  reflecting  the  sensitivity  (classifica¬ 
tion  level,  classification  category,  and  han¬ 
dling  caveats)  of  the  information  for 
resources  and  the  authorizations  (security 
clearances,  need-to-know,  formal  access 
approvals)  for  users.  These  labels  shall  be 
an  integral  part  of  the  electronic  data  or 
media.  These  security  labels  shall  be  com¬ 
pared  and  validated  before  a  user  is 
granted  access  to  a  resource. 

(b) Export  of  Security  Labels.  Security  labels 
exported  from  the  Classified  AIS  shall  be 
accurate  representations  of  the  correspond¬ 
ing  security  labels  on  the  information  in 
the  originating  Classified  AIS. 

(2)  Mandatory  Access  Controls.  Mandatory  access 
controls  shall  be  provided.  These  controls  shall 
provide  a  means  of  restricting  access  to  files 
based  on  the  sensitivity  (as  represented  by  the 
label)  of  the  information  contained  in  the  files 
and  the  formal  authorization  (i.e.,  security  clear¬ 
ance)  of  users  to  access  information  of  such  sen¬ 
sitivity, 

(3)  No  information  shall  be  accessed  whose  com¬ 
partment  is  inconsistent  with  the  session  log-on. 


(4)  Support  a  trusted  communications  path  between 
itself  and  each  user  for  initial  log-on  and  verifi¬ 
cation. 

(5)  Enforce,  under  system  control,  a  system-gener¬ 
ated,  printed,  and  human-readable  security  clas¬ 
sification  level  banner  at  the  top  and  bottom  of 
each  physical  page  of  system  hard-copy  output. 

(6)  Audit  these  additional  events:  the  routing  of  all 
system  jobs  and  output,  and  changes  to  security 
labels. 

(7)  Security  Level  Changes.  The  system  shall 
immediately  notify  a  terminal  user  of  each 
change  in  the  security  level  associated  with  that 
user  during  an  interactive  session,  A  user  shall 
be  able  to  query  the  system  as  desired  for  a  dis¬ 
play  of  the  user's  complete  sensitivity  label, 

c.  Security  Assurances  for  Compartmented  Mode. 

(1)  Confidence  in  Software  Source,  In  acquiring 
resources  to  be  used  as  part  of  a  Classified  AIS, 
consideration  shall  be  given  to  the  level  of  confi¬ 
dence  placed  in  the  vendor  to  provide  a  quality 
product,  to  support  the  security  features  of  the 
product,  and  to  assist  in  the  correction  of  any 
flaws. 

(2)  Flaw  Discoveiy.  The  Provider  shall  ensure  the 
vendor  has  implemented  a  method  for  the  dis¬ 
covery  of  flaws  in  the  system  (hardware,  firm¬ 
ware,  or  software)  that  may  have  an  effect  on  the 
security  of  the  AIS. 

(3)  No  Read  Up,  No  Write  Down.  Enforce  an 
upgrade  or  downgrade  principle  where  all  users 
processing  have  a  system-maintained  classifica¬ 
tion;  no  data  is  read  that  is  classified  higher  than 
the  processing  session  authorized;  and  no  data  is 
written  unless  its  security  classification  level  is 
equal  to  or  lower  than  the  user's  authorized  pro¬ 
cessing  security  classification  and  all  non-hier- 
archical  categories  are  the  same. 

(4)  Description  of  the  Security  Support  Structure 
(often  referred  to  as  the  Trusted  Computing 
Base).  The  protections  and  provisions  of  the 
security  support  structure  shall  be  documented 
in  such  a  manner  to  show  the  underlying  plan¬ 
ning  for  the  security  of  a  Classified  AIS.  The 
security  enforcement  mechanisms  shall  be  iso¬ 
lated  and  protected  from  any  user  or  unautho¬ 
rized  process  interference  or  modification. 
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Hardware  and  software  features  shall  bfe  pro¬ 
vided  that  can  be  used  to  periodically  validate 
the  correct  operation  of  the  elements  of  the  secu¬ 
rity  enforcement  mechanisms. 

(5)  Independent  Validation  and  Verification.  An 
Independent  Validation  and  Verification  team 
shall  assist  in  the  technical  evaluation  testing  of 
a  classified  AIS  and  shall  perform  validation  and 
verification  testing  of  the  system  as  required  by 
the  Customer. 

(6)  Security  Label  Integrity.  The  methodology  shall 
ensure  the  following: 

(a)  Integrity  of  the  security  labels; 

(b) The  association  of  a  security  label  with  the 
transmitted  data;  and 

(c)  Enforcement  of  the  control  features  of  the 
security  labels. 

(7)  Detailed  Design  of  security  enforcement  mecha¬ 
nisms.  An  informal  description  of  the  security 
policy  model  enforced  by  the  system  shall  be 
available. 

8*204.  Multilevel  Security  Mode.  NOTE:  Multilevel 
Security  Mode  is  not  routinely  authorized  for  SCI  or 
SAP  applications.  Exceptions  for  SCI  may  be  made  by 
the  heads  of  CIA,  DIA,  or  NSA  on  a  case-by-case  basis. 
Exceptions  for  SAP  may  be  made  by  the  Customer. 

a.  An  AIS  is  operating  in  the  multilevel  mode  when  all 
of  the  following  statements  are  satisfied  concerning 
the  users  with  direct  or  indirect  access  to  the  AIS,  its 
peripherals,  remote  terminals,  or  remote  hosts: 

(1)  Some  users  do  not  have  a  valid  personnel  clear¬ 
ance  for  all  of  the  information  processed  in  the 
AIS.  (Users  must  possess  a  valid  CONFIDEN¬ 
TIAL,  SECRET,  or  TOP  SECRET  clearance.) 

(2)  All  users  have  the  proper  clearance  and  have  the 
appropriate  access  approval  (i.e.,  signed  nondis¬ 
closure  agreements)  for  that  information  to 
which  they  are  intended  to  have  access. 

(3)  All  have  a  valid  need-to-know  for  that  informa¬ 
tion  to  which  they  are  intended  to  have  access. 

b.  Security  Features  for  Multilevel  Mode.  In  addi¬ 
tion  to  all  security  features  and  security  assurances 


required  for  the  compartmented  mode  of  operation, 
classified  AIS  operating  in  the  multilevel  mode  of 
operation  shall  also  include: 

(1)  Audit,  Contain  a  mechanism  that  is  able  to  mon¬ 
itor  the  occurrence  or  accumulation  of  security 
auditable  events  that  may  indicate  an  imminent 
violation  of  security  policy.  This  mechanism 
shall  be  able  to  immediately  notify  the  security 
administrator  when  thresholds  are  exceeded  and, 
if  the  occurrence  or  accumulation  of  these  secu¬ 
rity  relevant  events  continues,  the  system  shall 
take  the  least  disruptive  action  to  terminate  the 
event. 

(2)  Trusted  Path.  Support  a  trusted  communication 
path  between  the  AIS  and  users  for  use  when  a 
positive  AlS-to-user  connection  is  required  (i.e., 
log-on,  change  subject  security  level).  Commu¬ 
nications  via  this  trusted  path  shall  be  activated 
exclusively  by  a  user  or  the  AIS  and  shall  be 
logically  isolated  and  unmistakably  distinguish¬ 
able  from  other  paths.  For  Restricted  Data,  this 
requirement  is  only  applicable  to  multilevel  AIS 
that  have  at  least  one  uncleared  user  on  the  AIS. 

(3)  Support  separate  operator  and  administrator 
functions.  The  functions  performed  in  the  role  of 
a  security  administrator  shall  be  identified.  The 
AIS  system  administrative  personnel  shall  only 
be  able  to  perform  security  administrator  func¬ 
tions  after  taking  a  distinct  auditable  action  to 
assume  the  security  administrative  role  on  the 
AIS  system.  Non-security  functions  that  can  be 
performed  in  the  security  administrative  role 
shall  be  limited  strictly  to  those  essential  to  per¬ 
forming  the  security  role  effectively, 

(4)  Security  Isolation.  The  AIS  security  enforce¬ 
ment  mechanisms  shall  maintain  a  domain  for 
its  own  execution  that  protects  it  from  external 
interference  and  tampering  (e.g.,  by  reading  or 
modification  of  its  code  and  data  structures). 
The  protection  of  the  security  enforcement 
mechanisms  shall  provide  isolation  and  noncir¬ 
cumvention  of  isolation  functions.  For 
Restricted  Data,  this  requirement  is  only  appli¬ 
cable  to  multilevel  AIS  that  have  at  least  one 
uncleared  user  on  the  AIS, 

(5)  Protection  of  Authenticator.  Authenticators  shall 
be  protected  at  the  same  level  as  the  information 
they  access. 
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c.  Security  Assurances  for  Multilevel  Mode. 

(1)  Flaw  Tracking  and  Remediation.  The  Provider 
shall  ensure  the  vendor  provides  evidence  that 
all  discovered  flaws  have  been  tracked  and  rem¬ 
edied. 

(2)  Life-Cycle  Assurance.  The  development  of  the 
Classified  AIS  hardware,  firmware,  and  soft¬ 
ware  shall  be  under  life-cycle  control  and  man¬ 
agement  (i.e.,  control  of  the  Classified  AIS  from 
the  earliest  design  stage  through  decommission¬ 
ing). 

(3)  Separation  of  Functions.  The  functions  of  the 
AIS  IS  SR  and  the  Classified  AIS  manager  shall 
not  be  performed  by  the  same  person, 

(4)  Device  Labels.  The  methodology  shall  ensure 
that  the  originating  and  destination  device  labels 
are  a  part  of  each  message  header  and  enforce 


the  control  features  of  the  data  flow  between 
originator  and  destination. 

(5)  Security  Penetration  Testing.  In  addition  to  test¬ 
ing  the  performance  of  the  classified  AIS  for 
certification  and  for  ongoing  testing,  there  shall 
be  testing  to  attempt  to  penetrate  the  security 
countermeasures  of  the  system.  The  test  proce¬ 
dures  shall  be  documented  in  the  test  plan  for 
certification  and  for  ongoing  testing. 

(6)  Trusted  Recovery.  Provide  procedures  and/or 
mechanisms  to  assure  that,  after  an  AIS  system 
failure  or  other  discontinuity,  recovery  without  a 
protection  compromise  is  obtained. 

(7)  Covert  Channels.  A  covert  channel  analysis 
shall  be  performed. 
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Section  3.  System  Access  and  Operation 


8-300  System  Access.  Access  to  the  system  will  be  lim¬ 
ited  to  authorized  personnel.  Assignment  of  AIS  access 
and  privileges  will  be  coordinated  with  the  ISSR. 
Authentication  techniques  must  be  used  to  provide  con¬ 
trol  for  information  on  the  system.  Examples  of  authen¬ 
tication  techniques  include,  but  are  not  limited  to: 
passwords,  tokens,  biometrics,  and  smart  cards.  User 
authentication  techniques  and  procedures  will  be 
described  in  the  AJSSP. 

a.  User  IDs,  User  IDs  identify  users  in  the  system  and 
are  used  in  conjunction  with  other  authentication 
techniques  to  gain  access  to  the  system.  User  IDs 
will  be  disabled  whenever  a  user  no  longer  has  a 
need-to-know.  The  user  ID  will  be  deleted  from  the 
system  only  after  review  of  programs  and  data  asso¬ 
ciated  with  the  ID.  Disabled  accounts  will  be 
removed  from  the  system  as  soon  as  practical. 
Whenever  possible,  access  attempts  will  be  limited 
to  five  tries.  Users  who  fail  to  access  the  system 
within  the  established  limits  will  be  denied  access 
until  the  user  ID  is  reactivated. 

b.  Access  Authentication. 

(1)  Password.  When  used,  system  log-on  passwords 
will  be  randomly  selected  and  will  be  at  least  six 
characters  in  length.  The  system  log-on  pass¬ 
word  generation  routine  must  be  approved  by 
the  Customer. 

(2)  Validation.  Authenticators  must  be  validated  by 
the  system  each  time  the  user  accesses  the  AIS. 

(3)  Display.  System  log-on  passwords  must  not  be 
displayed  on  any  terminal  or  contained  in  the 
audit  trail.  When  the  AIS  cannot  prevent  a  pass¬ 
word  from  being  displayed  (e.g.,  in  a  half¬ 
duplex  connection),  an  overprint  mask  shall  be 
printed  before  the  password  is  entered  to  con¬ 
ceal  the  typed  password. 

(4)  Sharing.  Individual  user  authenticators  (e.g., 
passwords)  will  not  be  shared  by  any  user. 

(5)  Password  Life.  Passwords  must  be  changed  at 
least  every  six  months. 

(6)  Compromise.  Immediately  following  a  sus¬ 
pected  or  known  compromise  of  a  password  or 
Personal  Identification  Number  (PIN)  the  ISSR 


will  be  notified  and  a  new  password  or  PIN 
issued. 

(7)  Group  Log-on  Passwords.  Use  of  group  log-on 
passwords  must  be  justified  and  approved  by  the 
Customer.  After  log-on,  group  passwords  may 
be  used  for  file  access. 

c.  Protection  of  Authenticators.  Master  data  files 
containing  the  user  population  system  log-on  authen¬ 
ticators  will  be  encrypted  when  practical.  Access  to 
the  files  will  be  limited  to  the  ISSR  and  designated 
altemate(s),  who  will  be  identified  in  writing. 

d.  Modems,  Modems  require  Customer  approval  prior 
to  connection  to  an  AIS  located  in  a  Customer  SAPF. 

e.  User  Warning  Notice.  The  Customer  may  require 
log-on  warning  banners  be  installed. 

8-301.  System  Operation. 

a.  Processing  initialization  is  the  act  of  changing  the 
AIS  from  unclassified  to  classified,  from  one  classi¬ 
fied  processing  level  to  another,  or  from  one  com¬ 
partment  to  another  or  from  one  Customer  to 
another.  To  begin  processing  classified  information 
on  an  approved  AIS  the  following  procedures  must 
be  implemented: 

(1)  Verify  that  prior  mode  termination  was  properly 
performed. 

(2)  Adjust  the  area  security  controls  to  the  level  of 
information  to  be  processed. 

(3)  Configure  the  AIS  as  described  in  the  approved 
AISSP,  The  use  of  logical  disconnects  requires 
Customer  approval, 

(4)  Initialize  the  system  for  processing  at  the 
approved  level  of  operation  with  a  dedicated 
copy  of  the  operating  system.  This  copy  of  the 
operating  system  must  be  labeled  and  controlled 
commensurate  with  the  security  classification 
and  access  levels  of  the  information  to  be  pro¬ 
cessed  during  the  period. 

b.  Unattended  Processing.  Unattended  processing 
will  have  open  storage  approval  and  concurrence 
from  the  customer.  Prior  to  unattended  processing. 
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all  remote  input  and/or  output  (I/O)  not  in  approved 
open  storage  areas  will  be  physically  or  electrically 
disconnected  from  the  host  CPU.  The  disconnect 
will  be  made  in  an  area  approved  for  the  open  stor¬ 
age.  Exceptions  are  on  a  case-by-case  basis  and  will 
require  Customer  approval. 

c.  Processing  Termination.  Processing  termination 
of  any  AIS  will  be  accomplished  according  to  the 
following  requirements. 

(1)  Peripheral  Device  Clearing.  Power  down  all 
connected  peripheral  devices  to  sanitize  all  vola¬ 
tile  buffer  memories.  Overwriting  of  these 
buffer  areas  will  be  considered  by  the  Customer 
on  a  case-by-case  basis. 

(2)  Removable  Storage  Media.  Remove  and  prop¬ 
erly  store  removable  storage  media. 

(3)  Non-removable  (Fixed)  Storage  Media.  Discon¬ 
nect  (physically  or  electrically)  all  storage 
devices  with  nonremovable  storage  media  not 
designated  for  use  during  the  next  processing 
period, 

(4)  CPU  Memory.  Clear  or  sanitize  as  appropriate 
all  internal  memory  including  buffer  storage  and 
other  reusable  storage  devices  (which  are  not 
disabled,  disconnected,  or  removed)  in  accor¬ 
dance  with  8-501,  Table  2. 

(5)  Laser  Printers.  Unless  laser  printers  operating  in 
SAPFs  will  operate  at  the  same  classification 
level  with  the  same  access  approval  levels  dur¬ 
ing  the  subsequent  processing  period,  they  will 
be  cleared  by  running  three  pages  of  unclassified 
randomly  generated  text.  For  SCI,  five  pages  of 
unclassified  pages  will  be  run  to  clear  the 
printer.  These  pages  will  not  include  any  blank 
spaces  or  solid  black  areas.  Otherwise,  no  pages 
need  be  run  through  the  printer  at  mode  termina¬ 
tion. 

(6)  Thermal  printers.  Thermal  printers  have  a  ther¬ 
mal  film  on  a  spool  and  take-up  reel.  Areas  in 
which  these  types  of  laser  printers  are  located 
will  be  either  approved  for  open  storage,  or  the 
spools  and  take-up  reels  will  be  removed  and 
placed  in  secure  storage.  The  printer  must  be 
sanitized  prior  to  use  at  a  different  classification 
level. 


(7)  Impact-type  Printers.  Impact-type  printers  (e.g., 
dot-matrix)  in  areas  not  approved  for  open  stor¬ 
age  will  be  secured  as  follows:  Remove  and 
secure  all  printer  ribbons  or  dispose  of  them  as 
cl^sified  trash.  Inspect  all  printer  platens.  If  any 
indication  of  printing  is  detected  on  the  platen, 
then  the  platen  will  be  either  cleaned  to  remove 
such  printing  or  removed  and  secured  in  an 
approved  classified  container. 

(8)  Adjust  area  security  controls. 

8-302.  Collocation  of  Classilied  and  Unclassified  AIS. 

a.  Customer  permission  is  required  before  a  Provider 
may  collocate  unclassified  AIS  and  classified  AIS. 
This  applies  when: 

(1)  The  unclassified  information  is  to  be  processed 
on  an  AIS  located  in  a  S APF,  or 

(2)  The  unclassified  information  is  resident  in  a 
database  located  outside  of  a  SAPF  but  accessed 
from  terminals  located  within  the  SAPF, 

b.  AIS  approved  for  processing  unclassified  informa¬ 
tion  will  be  clearly  marked  for  UNCLASSIFIED 
USE  ONLY  when  located  within  a  SAPF,  In  addition 
the  following  requirements  apply: 

( 1 )  Must  be  physically  separated  from  any  classified 
AIS. 

(2)  Cannot  be  connected  to  the  classified  AIS. 

(3)  Users  shall  be  provided  a  special  awareness 
briefing. 

(4)  ISSR  must  document  the  procedures  to  ensure 
the  protection  of  classified  information. 

(5)  All  unmarked  media  is  assumed  to  be  classified 
until  reviewed  and  verified. 

c.  Unclassified  portable  AIS  devices  are  prohibited  in  a 
SAPF  unless  Customer  policy  specifically  permits 
their  use.  If  permitted,  the  following  procedures 
must  be  understood  and  followed  by  the  owner  and 
user: 

(1)  Connection  of  unclassified  portable  AIS  to  clas¬ 
sified  AIS  is  prohibited. 
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(2)  Connection  to  other  unclassified  AISs  may  be 
allowed  provided  Customer  approval  is 
obtained. 

(3)  Use  of  an  internal  or  external  modem  with  the 
AIS  device  is  prohibited  within  the  SAPF. 

(4)  The  Provider  will  incorporate  these  procedures 
in  the  owner’s  initial  and  annual  security  brief¬ 
ing. 

(5)  Procedures  for  monitoring  portable  AIS  devices 
within  the  SAPF  shall  be  outlined  in  either  the 
AISSP  or  the  Facility  Security  Plan.  These 
devices  and  the  data  contained  therein  are  sub¬ 
ject  to  security  inspection  by  the  ISSR  and  the 
Customer.  Procedures  will  include  provisions 
for  random  reviews  of  such  devices  to  ensure 
that  no  classified  program-specific  or  program- 
sensitive  data  is  allowed  to  leave  the  secure  area. 
Use  of  such  a  device  to  store  or  process  classi¬ 
fied  information  may,  at  the  discretion  of  the 
Customer,  result  in  confiscation  of  the  device. 
All  persons  using  such  devices  within  the  secure 
area  will  be  advised  of  this  policy  during  secu¬ 
rity  awareness  briefings. 

(6)  Additionally,  where  Customer  policy  permits, 
personally  owned  portable  AIS  devices  may  be 
used  for  unclassified  processing  only  and  must 
follow  the  previous  guidelines. 

8-303.  System  Auditing. 

a.  Audit  Trails.  Audit  trails  provide  a  chronological 
record  of  AIS  usage  and  system  support  activities 
related  to  classified  or  sensitive  processing.  In  addi¬ 
tion  to  the  audit  trails  normally  required  for  the  oper¬ 
ation  of  a  stand-alone  AIS,  audit  trails  of  network 
activities  will  also  be  maintained.  Audit  trails  will 
provide  records  of  significant  events  occurring  in  the 
AIS  in  sufficient  detail  to  facilitate  reconstruction, 


review,  and  examination  of  events  involving  possible 
compromise.  Audit  trails  will  be  protected  from 
unauthorized  access,  modification,  and  deletion. 
Audit  trail  requirements  are  described  under  mode  of 
operation. 

b.  Additional  Records  and  Logs.  The  following 
additional  records  or  logs  will  be  maintained  by  the 
Provider  regardless  of  the  mode  of  operation.  These 
will  include: 

(1)  Maintenance  and  repair  of  AIS  hardware, 
including  installation  or  removal  of  equipment, 
devices,  or  components. 

(2)  Transaction  receipts,  such  as  equipment  saniti¬ 
zation,  release  records,  etc. 

(3)  Significant  AIS  changes  (e.g.,  disconnecting  or 
connecting  remote  terminals  or  devices,  AIS 
upgrading  or  downgrading  actions,  and  applying 
seals  to  or  removing  them  from  equipment  or 
device  covers). 

c.  Audit  Reviews.  The  audit  trails,  records,  and  logs 
created  during  the  above  activities  will  be  reviewed 
and  annotated  by  the  ISSR  (or  designee)  to  be  sure 
that  all  pertinent  activity  is  properly  recorded  and 
appropriate  action  has  been  taken  to  correct  anoma¬ 
lies.  The  Customer  will  be  notified  of  all  anomalies 
that  have  a  direct  impact  on  the  security  posture  of 
the  system.  The  review  will  be  conducted  at  least 
weekly. 

d.  Record  Retention.  The  Provider  will  retain  the 
most  current  6  to  12  months  (Customer  Option)  of 
records  derived  from  audits  at  all  times.  The  Cus¬ 
tomer  may  approve  the  periodic  use  of  data  reduc¬ 
tion  techniques  to  record  security  exception 
conditions  as  a  means  of  reducing  the  volume  of 
audit  data  retained.  Such  reduction  will  not  result  in 
the  loss  of  any  significant  audit  trail  data. 
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Section  4.  Networks 


8-400  Networks.  This  section  addresses  network-spe¬ 
cific  requirements  that  are  in  addition  to  the  previously 
stated  AIS  requirements.  Network  operations  must  pre¬ 
serve  the  security  requirements  associated  with  the 
AIS's  mode  of  operation. 

a.  Types  of  Networks. 

(1 )  A  unified  network  is  a  collection  of  AIS's  or  net¬ 
work  systems  that  are  accredited  as  a  single 
entity  by  a  single  CSA.  A  unified  network  may 
be  as  simple  as  a  small  LAN  operating  in  dedi¬ 
cated  mode,  following  a  single  security  policy, 
accredited  as  a  single  entity,  and  administered 
by  a  single  ISSR.  The  perimeter  of  such  a  net¬ 
work  encompasses  all  its  hardware,  software, 
and  attached  devices.  Its  boundary  extends  to  all 
its  users.  A  unified  network  has  a  single  mode  of 
operation.  This  mode  of  operation  will  be 
mapped  to  the  level  of  trust  required  and  will 
address  the  risk  of  the  least  trusted  user  obtain¬ 
ing  the  most  sensitive  information  processed  or 
stored  on  the  network. 

(2)  An  interconnected  network  is  comprised  of  sep¬ 
arately  accredited  AISs  and/or  unified  networks. 
Each  self-contained  AIS  maintains  its  own  intra- 
AIS  services  and  controls,  protects  its  own 
resources,  and  retains  its  individual  accredita¬ 
tion.  Each  participating  AIS  or  unified  network 
has  its  own  ISSR.  The  interconnected  network 
must  have  a  security  support  structure  capable 
of  adjudicating  the  different  security  policy 
(implementations)  of  the  participating  AISs  or 
unified  networks.  An  interconnected  network 
requires  accreditation,  which  may  be  as  simple 
as  an  addendum  to  a  Memorandum  of  Agree¬ 
ment  (MOA)  between  the  accrediting  authori¬ 
ties. 

b.  Methods  of  Interconnection. 

(1)  Security  Support  Structure  (SSS)  is  the  hard¬ 
ware,  software,  and  firmware  required  to  adjudi¬ 
cate  security  policy  and  implementation 
differences  between  and  among  connecting  uni¬ 
fied  networks  and/or  AISs.  The  SSS  must  be 
accredited.  The  following  requirements  must  be 
satisfied  as  part  of  the  SSS  accreditation; 


(a)  Document  the  security  policy  enforced  by 
the  SSS. 

(b) Identify  a  single  mode  of  operation. 

(c)  Document  the  network  security  architec¬ 
ture  and  design. 

(d)  Document  minimum  contents  of  MOA’s 
required  for  connection  to  the  SSS. 

(2)  The  interconnection  of  previously  accredited 
systems  into  an  accredited  network  may  require 
a  reexamination  of  the  security  features  and 
assurances  of  the  contributing  systems  to  ensure 
their  accreditations  remain  valid. 

(a)  Once  an  interconnected  network  is  defined 
and  accredited,  additional  networks  or  sep¬ 
arate  AISs  (separately  accredited)  may 
only  be  connected  through  the  accredited 
SSS. 

(b) The  addition  of  components  to  contribut¬ 
ing  unified  networks  which  are  members  of 
an  accredited  interconnected  network  are 
allowed  provided  these  additions  do  not 
change  the  accreditation  of  the  contribut¬ 
ing  system. 

c.  Network  Security  Management.  The  Provider 
will  designate  an  ISSR  for  each  Provider  network. 
The  ISSR  may  designate  a  Network  Security  Man¬ 
ager  (NSM)  to  oversee  the  security  of  the  Provider's 
network(s),  or  may  assume  that  responsibility.  The 
ISSR  is  responsible  for  coordinating  the  establish¬ 
ment  and  maintenance  of  a  formal  network  security 
program  based  on  an  understanding  of  the  overall 
security-relevant  policies,  objectives,  and  require¬ 
ments  of  the  Customer.  The  NSM  is  responsible  for 
ensuring  day-to-day  compliance  with  the  network 
security  requirements  as  described  in  the  AISSP  (as 
covered  below)  and  this  Supplement. 

d.  Network  Security  Coordination.  When  different 
accrediting  authorities  are  involved,  a  Memorandum 
of  Agreement  is  required  to  define  the  cognizant 
authority  and  the  security  arrangements  that  will 
govern  the  operation  of  the  overall  network.  When 
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two  or  more  ISSRs  are  designated  for  a  network,  a 
lead  ISSR  will  be  named  by  the  Provider(s)  to  ensure 
a  comprehensive  approach  to  enforce  the  Customer*s 
overall  security  policy. 

e.  Network  Security, 

The  AISSP  must  address: 

(1)  A  description  of  the  network  services  and  mecha¬ 
nisms  that  implement  the  network  security  policy, 

(2)  Consistent  implementation  of  security  features 

across  the  network  components. 

(a)  Identification  and  Authentication  Forward¬ 
ing.  Reliable  forwarding  of  the  identifica¬ 
tion  shall  be  used  between  AISs  when 
users  are  connecting  through  a  network. 
When  identification  forwarding  cannot  be 
verified,  a  request  for  access  from  a  remote 
AIS  shall  require  authentication  before 
permitting  access  to  the  system. 

(b)  Protection  of  Authenticator  Data.  In  for¬ 
warding  the  authenticator  information  and 
any  tables  (e.g.,  password  tables)  associated 
with  it,  the  data  shall  be  protected  from 
access  by  unauthorized  users  (e.g.,  encryp¬ 
tion),  and  its  integrity  shall  be  ensured. 

(c)  Description  of  the  network  and  any  exter¬ 
nal  connections. 

(d) The  network  security  policy  including 
mode  of  operation,  information  sensitivi¬ 
ties,  and  user  clearances. 

(e) Must  address  the  internode  transfer  of 
information  (e.g.,  sensitivity  level,  com- 
partmentation,  and  any  special  access 
requirements),  and  how  the  information  is 
protected. 

(f)  Communications  protocols  and  their  secu¬ 
rity  features. 

(g)  Audit  Trails  and  Monitoring, 

1 .  If  required  by  the  mode  of  operation,  the 
network  shall  be  able  to  create,  main¬ 
tain,  and  protect  from  modification  or 


unauthorized  access  or  destruction  an 
audit  trail  of  successful  and  unsuccessful 
accesses  to  the  AIS  network  components 
within  the  perimeter  of  the  accredited 
network.  The  audit  data  shall  be  pro¬ 
tected  so  that  access  is  limited  to  the 
ISSR  or  his/her  designee. 

2.  For  Restricted  Data,  methods  of  continu¬ 
ous  on-line  monitoring  of  network  activi¬ 
ties  may  be  included  in  each  network 
operating  in  the  Compartmented  Security 
Mode  or  higher.  This  monitoring  may  also 
include  realtime  notification  to  the  ISSR 
of  any  system  anomalies, 

3.  For  Restricted  Data  networks  operating  in 
the  Compartmented  Mode  or  higher,  the 
Customer  may  require  the  audit  trail  to 
include  the  changing  of  the  configuration 
of  the  network  (e.g.,  a  component  leaving 
the  network  or  rejoining). 

4.  The  audit  trail  records  will  allow  associa¬ 
tion  of  the  network  activities  with  corre¬ 
sponding  user  audit  trails  and  records. 

5.  Provisions  shall  be  made  and  the  proce¬ 
dures  documented  to  control  the  loss  of 
audit  data  due  to  unavailability  of 
resources. 

6.  For  Restricted  Data,  the  Customer  may 
require  alarm  features  that  automatically 
terminate  the  data  flow  in  case  of  a  mal¬ 
function  and  then  promptly  notify  the 
ISSR  of  the  anomalous  conditions. 

(h)  Secure  Message  Traffic.  The  communica¬ 
tions  methodology  for  the  network  shall 
ensure  the  detection  of  errors  in  traffic 
across  the  network  links. 

f.  Transmission  Security.  Protected  Distribution 
Systems  or  National  Security  Agency  approved 
encryption  methodologies  shall  be  used  to  protect 
classified  information  on  communication  lines 
that  leave  the  SAPF.  Protected  distribution  sys¬ 
tems  shall  be  either  constructed  in  accordance 
with  the  national  standards  or  utilize  National 
Security  Agency  approved  protected  distribution 
systems. 
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g.  Records.  The  Customer  may  require  records  be 
maintained  of  electronic  transfers  of  data  between 
automated  information  systems  when  those  systems 
are  not  components  of  the  same  unified  network. 
Such  records  may  include  the  identity  of  the  sender, 
identity  and  location  of  the  receiver,  date/time  of  the 
transfer,  and  description  of  the  data  sent.  Records  are 
retained  according  to  8-303.d. 
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Section  5.  Software  and  Data  Files 


8-500.  Software  and  Data  Files. 

a.  Acquisition  and  Evaluation,  ISSR  approval  \vill 
be  obtained  before  software  or  data  files  may  be 
brought  into  the  SAPF.  All  software  must  be 
acquired  from  reputable  and/or  authorized  sources  as 
determined  by  the  ISSR.  The  Provider  will  check  all 
newly-acquired  software  or  data  files,  using  the  most 
current  version  and/or  available  of  virus  checking 
software  and  procedures  identified  in  the  AJSSP  to 
improve  assurance  that  the  software  or  data  files  are 
free  from  malicious  code, 

b.  Protection.  Media  that  may  be  written  to  (e.g.,  mag¬ 
netic  media)  must  be  safeguarded  commensurate 
with  the  level  of  accreditation  of  the  dedicated  or 
system  high  AIS.  Media  on  compartmented  or  multi¬ 
level  AISs  will  be  protected  commensurate  with  the 
level  of  the  operating  session.  If  a  physical  wnte- 
protect  mechanism  is  utilized,  media  may  be  intro¬ 
duced  to  the  AIS  and  subsequently  removed  without 
changing  the  original  classification.  The  integrity  of 
the  write-protection  mechanism  must  be  verified  at  a 
minimum  of  once  per  day  by  attempting  to  write  to 
the  media.  Media  which  cannot  be  changed  (e.g.,  CD 
read-only  media)  may  be  loaded  onto  die  classified 
system  without  labeling  or  classifying  it  provided  it 
is  immediately  removed  from  the  secure  area.  If  this 
media  is  to  be  retained  in  the  secure  area,  it  must  be 
labeled,  controlled,  and  stored  as  unclassified  media 
as  required  by  the  Customer. 

(1)  System  Software.  Provider  personnel  who  are 
responsible  for  implementing  modifications  to 
system  or  security-related  software  or  data  files 
on  classified  AISs  inside  the  SAPF  will  be 
appropriately  cleared.  Software  that  contains 
security  related  functions  (e.g.,  sanitization, 
access  control,  auditing)  will  be  validated  to 
confirm  that  security-related  features  are  fully 
functional,  protected  from  modification,  and 
effective. 

(2)  Application  Software.  Application  software  or 
data  files  (e.g.,  general  business  software),  that 
will  be  used  by  a  Provider  during  classified  pro¬ 
cessing,  may  be  developed/modified  by  person¬ 
nel  outside  the  security  area  without  the 
requisite  security  clearance  with  the  concur¬ 
rence  of  the  Customer. 


(3)  Releasing  Software.  Software  that  has  not  been 
used  on  an  AIS  processing  classified  information 
may  be  returned  to  a  vendor.  If  media  containing 
software  (e.g.,  applications)  are  used  on  a  classi¬ 
fied  system  and  found  to  be  defective,  such  media 
may  not  be  removed  from  a  SAPF  for  return  to  a 
vendor.  When  possible,  software  will  be  tested 
prior  to  its  introduction  into  the  secure  facility. 

c.  Targetability.  For  SCI  and  SAP  the  software, 
whether  obtained  from  sources  outside  the  facility  or 
developed  by  Provider  personnel,  must  be  safe¬ 
guarded  to  protect  its  integrity  from  the  time  of 
acquisition  or  development  through  its  life  cycle  at 
the  Provider's  facility  (i.e.,  design,  development, 
operational,  and  maintenance  phases).  Uncleared 
personnel  will  not  have  any  knowledge  that  the  soft¬ 
ware  or  data  files  will  be  used  in  a  classified  area, 
although  this  may  not  be  possible  in  all  cases.  Before 
software  or  data  files  that  are  developed  or  modified 
by  uncleared  personnel  can  be  used  in  a  classified 
processing  period,  it  must  be  reviewed  by  appropri¬ 
ately  cleared  and  knowledgeable  personnel  to  ensure 
that  no  security  vulnerabilities  or  malicious  code 
exists.  Configuration  management  must  be  in  place 
to  ensure  that  the  integrity  of  the  software  or  data 
files  is  maintained. 

d.  Maintenance  Software.  Software  used  for  mainte¬ 
nance  or  diagnostics  will  be  maintained  within  the 
secure  computing  facility  and,  even  though  unclassi¬ 
fied,  will  be  separately  controlled.  The  AISSP  will 
detail  the  procedures  to  be  used. 

e.  Remote  Diagnostics.  Customer  approval  will  be 
obtained  prior  to  using  vendor-supplied  remote  diag¬ 
nostic  links  for  on-line  use  of  diagnostic  software. 
The  AISSP  will  detail  the  procedures  to  be  used. 

8-501.  Data  Storage  Media.  Data  storage  media  will  be 
controlled  and  labeled  at  the  appropriate  classification 
level  and  access  controls  of  the  AIS  unless  write-pro¬ 
tected  in  accordance  with  8-500.b.  Open  storage 
approval  will  be  required  for  non-removable  media. 

a.  Labeling  Media.  All  data  storage  media  will  be 
labeled  in  human-readable  form  to  indicate  its  classi¬ 
fication  level,  access  controls  (if  applicable),  and 
other  identifying  information.  Data  storage  media 
that  is  to  be  used  solely  for  unclassified  processing 
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and  collocated  with  classified  media  will  be  marked 
as  UNCLASSIFIED.  Color  coding  (i.e.,  media, 
labels)  is  recommended.  If  required  by  the  Customer, 
all  removable  media  will  be  labeled  with  a  classifica- 
tion  label  immediately  after  removing  it  from  its  fac¬ 
tory-sealed  container. 

b.  Reclassification*  When  the  classification  of  the 
media  increases  to  a  higher  level,  replace  the  classifi¬ 
cation  label  with  a  higher  classification-level  label. 
The  label  will  reflect  the  highest  classification  level, 
and  access  controls  (if  applicable)  of  any  informa¬ 
tion  ever  stored  or  processed  on  the  AIS  unless  the 
media  is  write-protected  by  a  Customer-approved 
mechanism.  Media  may  never  be  downgraded  in 
classification  without  the  Customer’s  written 
approval. 

c.  Copying  Unclassified  Information  from  a  Clas¬ 
sified  AIS* 

(1)  The  unclassified  data  will  be  written  to  factory- 
fresh  or  verified  unclassified  media  using 
approved  copying  routines  and/or  utilities  and/ 
or  procedures  as  stated  in  the  AISSP.  For  SCI 
and  SAP,  media  to  be  released  will  be  verified 
by  reviewing  all  data  on  the  media  including 
embedded  text  (e.g.,  headers  and  footers).  Data 
on  media  that  is  not  in  human  readable  form 
(e.g.,  imbedded  graphs,  sound,  video)  will  be 
examined  for  content  with  the  appropriate  soft¬ 
ware  applications.  Data  that  cannot  be  reason¬ 
ably  observed  in  its  entirety  will  be  inspected  by 
reviewing  random  samples  of  the  data  on  the 
media, 

(2)  Moving  Classified  Data  Storage  Media  Between 
Approved  Areas.  The  ISSR  will  establish  proce¬ 
dures  to  ensure  that  data  will  be  written  to  fac- 
tory-ffesh  or  sanitized  media.  The  media  will  be 
reviewed  to  ensure  that  only  the  data  intended 
was  actually  written  and  that  it  is  appropriately 
classified  and  labeled.  Alternatives  for  special 
circumstances  may  be  approved  by  the  Cus¬ 
tomer.  All  procedures  will  be  documented  in  the 
AISSP. 

d.  Overwriting,  Degaussing,  Sanitizing,  and 
Destroying  Media.  Cleared  and  sanitized  media 
may  be  reused  within  the  same  classification  level 
(i.e.,  TS-TS)  or  to  a  higher  level  (i.e.,  SECRET-TS). 
Sanitized  media  may  be  downgraded  or  declassified 
with  the  Customer's  approval.  Only  approved  equip¬ 
ment  and  software  may  be  used  to  overwrite  and 


degauss  magnetic  media  containing  classified  infor¬ 
mation.  Each  action  or  procedure  taken  to  overwrite 
or  degauss  such  media  will  be  verified.  Magnetic 
storage  media  that  malfunctions  or  contains  features 
that  inhibit  overwriting  or  degaussing  will  be 
reported  to  the  ISSR,  who  will  coordinate  repair  or 
destruction  with  the  Customer.  (See  Table  I.) 

Caution:  Overwriting,  degaussing,  and  sanitizing  are  not 
synonymous  with  declassification.  Declassification  is  a 
separate  administrative  function.  Procedures  for  declas¬ 
sifying  media  require  Customer  q)proval. 

(1)  Overwriting  Media.  Overwriting  is  a  software 
procedure  that  replaces  the  data  previously 
stored  on  magnetic  storage  media  with  a  pre¬ 
defined  set  of  meaningless  data.  Overwriting  is 
an  acceptable  method  for  clearing.  Only 
approved  overwriting  software  that  is  compati¬ 
ble  with  the  specific  hardware  intended  for  over¬ 
writing  will  be  used.  Use  of  such  software  will 
be  coordinated  in  advance  with  the  Customer. 
The  success  of  the  overwrite  procedure  will  be 
verified  through  random  sampling  of  the  over¬ 
written  media.  The  effectiveness  of  the  over¬ 
write  procedure  may  be  reduced  by  several 
factors:  ineffectiveness  of  the  overwrite  proce¬ 
dures,  equipment  failure  (e.g.,  misalignment  of 
read/write  heads),  or  inability  to  overwrite  bad 
sectors  or  tracks  or  information  in  inter-record 
gaps.  To  clear  magnetic  disks,  overwrite  all 
locations  three  (3)  times  (first  time  with  a  char¬ 
acter,  second  time  with  its  complement,  and  the 
third  time  with  a  random  character).  Items 
which  have  been  cleared  must  remain  at  the  pre¬ 
vious  level  of  classification  and  remain  in  a 
secure,  controlled  environment. 

(2)  Degaussing  Media.  Degaussing  (i.e.,  demagne¬ 
tizing)  is  a  procedure  that  reduces  the  magnetic 
flux  to  virtual  zero  by  applying  a  reverse  mag¬ 
netizing  field.  Properly  applied,  degaussing 
renders  any  previously  stored  data  on  magnetic 
media  unreadable  and  may  be  used  in  the  sani¬ 
tization  process.  Degaussing  is  more  reliable 
than  overwriting  magnetic  media.  Magnetic 
media  are  divided  into  three  types.  Type  I 
degaussers  are  used  to  degauss  Type  I  magnetic 
media  (i.e.,  media  whose  coercivity  is  no 
greater  than  350  Oersteds  (Oe)).  Type  II 
degaussers  are  used  to  degauss  Type  II  mag¬ 
netic  media  (i.e.,  media  whose  coercivity  is  no 
greater  than  750  Oe).  Currently  there  are  no 
degaussers  that  can  eft'ectively  degauss  all 
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Type  III  magnetic  media  (i.e.,  media  whose 
coercivity  is  over  750  Oe).  Some  degaussers 
are  rated  above  750  Oersteds  and  their  specific 
approved  rating  will  be  determined  prior  to 
use.  Coercivity  of  magnetic  media  defines  the 
magnetic  field  necessary  to  reduce  a  magneti¬ 
cally-saturated  material’s  magnetization  to 
zero.  The  correct  use  of  degaussing  products 
improves  assurance  that  classified  data  is  no 
longer  retrievable  and  that  inadvertent  disclo¬ 
sure  will  not  occur.  Refer  to  the  current  issue  of 
NSA’s  Information  Systems  Security  Products 
and  Services  Catalogue  (Degausser  Products 
List  Section)  for  the  identification  of  degauss¬ 
ers  acceptable  for  the  procedures  specified 
herein.  These  products  will  be  periodically 
tested  to  ensure  continued  compliance  with  the 
specification  NSA  CSS  Media  Declassification 
and  Destruction  Manual  NSA  130-2. 

(3)  Sanitizing  Media.  Sanitization  removes  informa¬ 
tion  from  media  such  that  data  recovery  using 
any  known  technique  or  analysis  is  prevented. 


Sanitizing  is  a  two-step  process  that  includes 
removing  data  firom  the  media  in  accordance 
with  Table  1  and  removing  all  classified  labels, 
markings,  and  activity  logs. 

(4)  Destroying  Media.  Data  storage  media  will  be 
destroyed  in  accordance  with  Customer- 
approved  methods. 

(5)  Releasing  Media.  Releasing  sensitive  or  classi¬ 
fied  Customer  data  storage  media  is  a  three-step 
process.  First,  the  Provider  will  sanitize  the 
media  and  verify  the  sanitization  in  accordance 
with  procedures  in  this  chapter.  Second,  the 
media  will  be  administratively  downgraded  or 
declassified  either  by  the  CSA  or  the  ISSR,  if 
such  authority  has  been  granted  to  the  ISSR. 
Third,  the  sanitization  process,  downgrading  or 
declassification,  and  the  approval  to  release  the 
media  will  be  documented. 
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Table  1 

Clearing  and  Sanitization  Data  Storage 


lype  Media 

Clear 

Sanitize 

{a)  Magnetic  Tape 

Type  I 

a  or  b 

a,  b,  or  destroy 

Type  n 

a  orb 

b  or  destroy 

Type  ni 

aor  b 

Destroy 

(b)  Magnetic  Disk  Packs 

Type  I 

a,  b,or  c 

Type  II 

b  ore 

Type  III 

Destroy 

(c)  Magnetic  Disk  Packs 

Floppies 

a,  b,  or  c 

Destroy 

Bernoulli’s 

a,  b,  or  c 

Destroy 

Removable  Hard  Disks 

a,  b,  or  c 

a,  b,  c,  or  destroy 

Non-Removable  Hard  Disks 

c 

a,  b,  c,  or  destroy 

(d)  Optical  Disk 

Read  Only 

Destroy 

Write  Once,  Read  Many  (Worm) 

Destroy 

Read  Many,  Write  Many 

c 

Destroy 

These  procedures  will  be  performed  by  or  as  directed  by  the  ISSR. 

a.  Degauss  with  a  Type  I  degausser 

b.  Degauss  with  a  Type  II  degausser 

c.  Overwrite  all  locations  with  a  character,  its  complement,  then  with  a  random  character.  Verify  that  all  sectors  have 
been  overwritten  and  that  no  new  bad  sectors  have  occurred.  If  new  bad  sectors  have  occurred  during  classified  pro¬ 
cessing,  this  disk  must  be  sanitized  by  method  a  or  b  described  above.  Use  of  the  overwrite  for  sanitization  must  be 
approved  by  the  Customer. 

Note:  For  hand-held  devices  (e.g.,  calculators  or  personal  directories),  sanitization  is  dependent  upon  the  type  and 
model  of  the  device.  If  there  is  any  question  about  the  correct  sanitization  procedure,  contact  the  manufacturer  or  the 
Customer.  In  general,  sanitization  is  accomplished  as  follows:  Depress  the  “CLEAR  ENTRY”  and  the  “CLEAR 
MEMORY”  buttons,  remove  the  battery  for  several  hours,  and  remove  all  associated  magnetic  media  and  retain  it  in 
the  SAPF  or  destroy.  In  some  models  there  are  special-purpose  memories  and  key-numbered  memories,  as  well  as 
register  stacks.  Caution  will  be  taken  to  clear  all  such  memories  and  registers.  This  may  take  several  key-strokes 
and  may  require  the  use  of  the  operator's  manual.  Test  the  hand  held  device  to  ensure  that  all  data  has  been  removed. 
If  there  is  any  question,  the  device  will  remain  in  the  SAPF  or  be  destroyed. 
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Table! 

Sanitizing  AIS  Components 


TYPE 

Magnetic  Bubble  Memory 
Magnetic  Core  Memory 
Magnetic  Plated  Wire 
Magnetic-Resistive  Memory 

Solid  State  Memory  Components 

Random  Access  Memory  (RAM)  (Volatile) 

Nonvolatile  RAM  (NO VRAM) 

Read  Only  Memory  (ROM) 

Programmable  ROM  (PROM) 

Erasable  Programmable  ROM  (EPROM) 

Electronically  Alterable  PROM  (EAPROM) 

Electronically  Erasable  PROM  (EEPROM) 

Flash  EPROM  (FEPROM) 

These  procedures  will  be  performed  by  or  as  directed  by  the  ISSR. 


PROCEDURE 

a,  b,  or  c 
a,  b,  or  d 
dore 
Destroy 


f,  thenj 
1 

Destroy  (see  k) 
Destroy  (see  k) 

g,  then  d  and  j 

h,  then  d  and  j 

i,  then  d  and  j 
i,  then  d  and  j 


a.  Degauss  with  a  Type  I  degausser. 

b.  Degauss  with  a  Type  n  degausser. 

c.  Overwrite  all  locations  with  any  character. 

d.  Overwrite  all  locations  with  a  character,  its  complement,  then  with  a  random  character. 

e.  Each  overwrite  will  reside  in  memory  for  a  period  longer  than  the  classified  data  resided. 

f.  Remove  all  power,  including  batteries  and  capacitor  power  supplies,  from  RAM  circuit  board. 

g.  Perform  an  ultraviolet  erase  according  to  manufacturer’s  recommendation,  but  increase  time  requirements  by  a 
factor  of  3. 

h.  Pulse  all  gates. 

i.  Perform  a  full  chip  erase.  (See  Manufacturer's  data  sheet.) 

j.  Check  with  Customer  to  see  if  additional  procedures  are  required. 

k.  Destruction  required  only  if  ROM  contained  a  classified  algorithm  or  classified  data. 

l.  Some  NOVRAM  are  backed  up  by  a  battery  or  capacitor  power  source;  removal  of  this  source  is  sufficient  for 
release  following  item  f  procedures.  Other  NOVRAM  are  backed  up  by  EEPROM  which  requires  application  of 
the  procedures  for  EEPROM  (i.e.,  i,  then  d  and  j). 
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Section  6.  AIS  Acquisition,  Maintenance,  and  Release 


8-600.  AIS  Acquisition,  Maintenance,  and  Release. 

a.  Acquisition.  AISs  and  AIS  components  that  will 
process  classified  information  will  be  protected  dur¬ 
ing  the  procurement  process  from  direct  association 
with  the  Customer's  program.  When  required  by  the 
Customer,  protective  packaging  methods  and  proce¬ 
dures  will  be  used  while  such  equipment  is  in  transit 
to  protect  against  disclosure  of  classified  relation¬ 
ships  that  may  exist  between  the  Customer  and  the 
Provider. 

b.  Maintenance  Policy.  The  Provider  will  discuss 
maintenance  requirements  with  the  vendor  before 
signing  a  maintenance  contract.  The  Customer  may 
require  that  AISs  and  AIS  components  used  for  pro¬ 
cessing  Customer  information  will  be  protected  dur¬ 
ing  maintenance  from  direct  association  with  the 
Customer's  program. 

(1)  Cleared  maintenance  personnel  are  those  who 
have  a  valid  security  clearance  and  access 
approvals  commensurate  with  the  information 
being  processed.  Complete  sanitization  of  the 
AIS  is  not  required  during  maintenance  by 
cleared  personnel,  but  need-to-know  will  be 
enforced.  However,  an  appropriately  cleared 
Provider  individual  will  be  present  within  the 
SAPF  while  a  vendor  performs  maintenance  to 
ensure  that  proper  security  procedures  are  being 
followed.  Maintenance  personnel  without  the 
proper  access  authorization  and  security  clear¬ 
ance  will  always  be  accompanied  by  an  individ¬ 
ual  with  proper  security  clearance  and  access 
authorization  and  never  left  alone  in  a  SAPF. 
The  escort  shall  be  approved  by  the  ISSR  and  be 
technically  knowledgeable  of  the  AIS  to  be 
repaired. 

(2)  Prior  to  maintenance  by  a  person  requiring 
escort,  either  the  device  under  maintenance  shall 
be  physically  disconnected  from  the  classified 
AIS  (and  sanitized  before  and  after  mainte¬ 
nance)  or  the  entire  AIS  shall  be  sanitized  before 
and  after  maintenance.  When  a  system  failure 
prevents  clearing  of  the  system  prior  to  mainte¬ 
nance  by  escorted  maintenance  personnel,  Cus¬ 
tomer-approved  procedures  will  be  enforced  to 
deny  the  escorted  maintenance  personnel  visual 
and  electronic  access  to  any  classified  data  that 
may  be  contained  on  the  system. 


(3)  All  maintenance  and  diagnostics  should  be  per¬ 
formed  in  the  Provider's  secure  facility.  Any 
AIS  component  or  equipment  released  from 
secure  control  for  any  reason  may  not  be 
returned  to  the  SAPF  without  the  approval  of  the 
ISSR.  The  Customer  may  require  that  a  perma¬ 
nent  set  of  procedures  be  in  place  for  the  release 
and  return  of  components.  These  procedures 
will  be  incorporated  into  the  AISSP. 

c.  Maintenance  Materials  and  Methods. 

( 1 )  Unclassified  Copy  of  Operating  System.  A  sepa¬ 
rate,  unclassified,  dedicated  for  maintenance 
copy  of  the  operating  system  (i.e.,  a  specific 
copy  other  than  the  copy(s)  used  in  processing 
Customer  information),  including  any  micro- 
coded  floppy  disks  or  cassettes  that  are  integral 
to  the  operating  system,  will  be  used  whenever 
maintenance  is  done  by  uncleared  personnel. 
This  copy  will  be  labeled  “UNCLASSIFIED- 
FOR  MAINTENANCE  USE  ONLY.”  Proce¬ 
dures  for  an  AIS  using  a  nonremovable  storage 
device  on  which  the  operating  system  is  resident 
will  be  considered  by  the  Customer  on  a  case- 
by-case  basis. 

(2)  Vendor-supplied  Software  and/or  Firmware. 
Vendor-supplied  software  and/or  firmware  used 
for  maintenance  or  diagnostics  will  be  main¬ 
tained  within  the  secure  computing  facility  and 
stored  and  controlled  as  though  classified.  If  per¬ 
mitted  by  the  Customer,  the  ISSR  may  allow,  on 
a  case-by-case  basis,  the  release  of  certain  types 
of  costly  magnetic  media  for  maintenance  such 
as  disk  head-alignment  packs. 

(3)  Maintenance  Equipment  and  Components.  All 
tools,  diagnostic  equipment,  and  other  devices 
carried  by  the  vendor  to  the  Provider's  facility 
will  be  controlled  as  follows: 

(a)  Tool  boxes  and  materials  belonging  to  a  vendor  rep¬ 
resentative  will  be  inspected  by  the  assigned  escort 
before  the  vendor  representative  is  permitted  to  enter 
the  secure  area. 

(b) The  ISSR  will  inspect  any  maintenance  hardware 
(such  as  a  data  scope)  and  make  a  best  technical 
assessment  that  the  hardware  cannot  access  classified 
data.  The  equipment  will  not  be  allowed  in  the 
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secure  area  without  the  approval  of  the  ISSR. 

(c)  Maintenance  personnel  may  bring  kits  containing 
component  boards  into  the  secure  facility  for  the  pur¬ 
pose  of  swapping  out  component  boards  that  may  be 
faulty.  Any  component  board  placed  into  an  unsani¬ 
tized  AIS  will  remain  in  the  security  facility  until 
proper  release  procedures  are  completed.  Any  com¬ 
ponent  board  that  remains  in  the  kit  and  is  not  placed 
in  the  AIS  may  be  released  from  the  secure  facility. 

(d)  Any  communication  devices  with  transmit  capability 
belonging  to  the  vendor  representative  or  any  data 
storage  media  not  required  for  the  maintenance  visit 
will  be  retained  outside  the  SAPF  for  return  to  the 
vendor  representative  upon  departure  from  the 
secure  area. 

(4)  Remote  Diagnostic  Links.  Remote  diagnostic 
links  require  Customer  approval.  Permission  for 
the  installation  and  use  of  remote  diagnostic 
links  will  be  requested  in  advance  and  in  writ¬ 
ing.  The  detailed  procedures  for  controlling  the 
use  of  such  a  link  or  links  will  have  the  written 
approval  of  the  Customer  prior  to  implementa¬ 
tion. 

d.  Release  of  Memory  Components  and  Boards. 
Prior  to  the  release  of  any  component  from  an  area 
used  to  process  or  store  Customer  information,  the 
following  requirements  will  be  met  in  respect  to 
coordination,  documentation,  and  written  approval. 
This  section  applies  only  to  components  identified 
by  the  vendor  or  other  technically  knowledgeable 
individual  as  having  the  capability  of  retaining  user 
addressable  data  and  does  not  ^pply  to  other  items 
(e.g.,  cabinets,  covers,  electrical  components  not 
associated  with  data),  which  may  be  released  without 
reservation.  For  the  puiposes  of  this  document,  a 
memory  component  is  considered  to  be  the  Lowest 
Replaceable  Unit  (LRU)  in  a  hardware  device. 
Memory  components  reside  on  boards,  modules,  and 
sub-assemblies.  A  board  can  be  a  module  or  may 
consist  of  several  modules  and  subassemblies. 
Unlike  media  sanitization,  clearing  may  be  an 
acceptable  method  of  sanitizing  components  for 
release  (see  8-501,  Table  2).  Memory  components 
are  specifically  handled  as  either  volatile  or  nonvola¬ 
tile  as  described  below. 

(1)  Volatile  Memory  Components.  Memory  compo¬ 
nents  that  do  not  retain  data  after  removal  of  all 
electrical  power  sources,  and  when  reinserted 
into  a  similarly  configured  AIS  do  not  contain 


residual  data,  are  considered  volatile  memory 
components.  Volatile  components  may  be 
released  only  after  accomplishing  the  following 
steps: 

(a)  Maintain  a  record  of  the  equipment  release 
indicating  that  all  component  memory  is 
volatile  and  that  no  data  remains  in/on  the 
component  when  power  is  removed. 

(b)  Equipment  release  procedures  shall  be 
developed  by  the  ISSR  and  stated  in  the 
AISSE 

(2)  Nonvolatile  Memory  Components.  Memory 
components  that  do  retain  data  when  all  power 
sources  are  disconnected  are  nonvolatile  mem¬ 
ory  components.  Nonvolatile  memory  compo¬ 
nents  defined  as  read  only  memory  (ROM), 
programmable  ROM  (PROM),  or  erasable 
PROM  (EPROM)that  have  been  programmed  at 
the  vendor's  commercial  manufacturing  facility 
are  considered  to  be  unalterable  in  the  field  and 
may  be  released.  Customized  components  of 
this  nature  that  have  been  programmed  with  a 
classified  algorithm  or  classified  data  will  be 
destroyed.  All  other  nonvolatile  components 
may  be  released  after  successful  completion  of 
the  procedures  outlined  in  8-501,  Table  2.  Fail¬ 
ure  to  accomplish  these  procedures  will  require 
the  ISSR  to  coordinate  with  the  Customer  for  a 
determination  of  releasability.  Nonvolatile  com¬ 
ponents  shall  be  released  only  after  accomplish¬ 
ing  the  following  steps: 

(a)  Maintain  a  record  of  the  equipment  release 
indicating  the  procedure  used  for  sanitiz¬ 
ing  the  component,  who  performed  the 
sanitization,  and  who  it  was  released  to, 

(b)  Equipment  release  procedures  must  be 
developed  by  the  ISSR  and  stated  in  the 
AISSP  The  record  will  be  retained  for  12 
months, 

(3)  Inspecting  AIS  Equipment.  All  AIS  equipment 
designated  for  release  will  be  inspected  by  the 
ISSR.  This  review  will  ensure  that  all  media 
including  internal  disks  have  been  removed. 

8-601.  Test  Equipment  The  Provider  will  determine 
the  capability  of  individual  test  instruments  to  collect 
and  process  information.  If  necessary,  the  manufacturer 
will  be  asked  to  provide  this  information.  A  description 
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of  the  capabilities  of  individual  test  equipment  will  be 
provided  to  the  Customer  Security  requirements  are 
based  on  concerns  about  the  capability  of  the  equipment 
to  retain  sensitive  or  classified  data.  Test  equipment  with 
nonvolatile  fixed  or  removable  storage  media  will  com¬ 
ply  with  the  requirements  of  this  Supplement  and  be 
approved  by  the  Customer  for  introduction  and  use  in 
the  SAPF.  Test  equipment  with  no  data  retention  and  no 
secondary  storage  does  not  require  Customer  approval. 
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Section  7.  Documentation  and  Training 


8-700.  Documentation  and  TVaining. 

a.  Provider  Documentation.  The  Provider  will 
develop,  publish,  and  promulgate  a  corporate  AIS 
security  policy,  which  will  be  maintained  on  file  by 
thelSSR. 

b.  Security  Documentation.  The  Provider  will 
develop  and  maintain  security-related  documentation 
which  are  subject  to  review  by  the  Customer  as  fol¬ 
lows: 

(1)  AISSP.  Prepare  and  submit  to  the  Customer  for 
approval  an  AISSP  in  accordance  with  Cus¬ 
tomer  guidance  that  covers  each  AIS  which  will 
process  information  for  the  Customer.  This  plan 
will  appropriately  reference  ail  other  applicable 
Provider  security  documentation.  In  many  cases, 
an  AISSP  will  include  information  that  should 
not  be  provided  to  the  general  user  population. 
In  these  cases,  a  separate  user  security  guide  will 
be  prepared  to  include  only  the  security  proce¬ 
dures  required  by  the  users, 

(2)  Physical  Security  Accreditation.  Maintain  on 
file  the  physical  security  accreditation  documen¬ 
tation  that  identifies  the  date(s)  of  accreditation, 
and  classification  level(s)  for  the  system  device 
locations  identified  in  the  AISSP,  and  any  open 
storage  approvals. 

(3)  Processing  Approval.  Maintain  on  file  the  Cus¬ 
tomer's  processing  approval  (i.e.,  interim 
approval  or  accreditation)  that  specifies  the  date 
of  approval,  system,  system  location,  mode  of 
operation,  and  classification  level  for  which  the 
AIS  is  approved. 

(4)  Memorandum  of  Agreement.  Maintain  on  file  a 
formal  memorandum  of  agreement  signed  by  all 
Customers  having  data  concurrently  processed 
by  an  AIS  or  attached  to  the  network. 

(5)  AIS  Technical  Evaluation  Test  Plan,  As  a  pre¬ 
requisite  to  processing  in  the  compartmented  or 
multilevel  mode,  develop  and  submit  a  technical 
evaluation  test  plan  to  the  Customer  for 
approval.  The  technical  evaluation  test  plan  will 
provide  a  detailed  description  oi  how  the  imple¬ 
mentation  of  the  operating  system  software,  data 


management  system  software,  and  related  secu¬ 
rity  software  packages  will  enable  the  AIS  to 
meet  the  compartmented  or  multilevel  mode 
requirements  stated  herein.  The  test  plan  will 
also  outline  the  test  procedures  proposed  to 
demonstrate  this  compliance.  The  results  of  the 
test  will  be  maintained  for  the  life  of  the  system. 

(6)  Certification  Report.  The  Certification  Report 
will  be  maintained  for  the  life  of  the  system. 

c.  System  User  Training  and  Awareness.  All  AIS 
users,  custodians,  maintenance  personnel,  and  others 
whose  work  is  associated  with  the  Customer  will  be 
briefed  on  their  security  responsibilities.  These  brief¬ 
ings  will  be  conducted  by  the  Provider.  Each  individ¬ 
ual  receiving  the  briefing  will  sign  an  agreement  to 
abide  by  the  security  requirements  specified  in  the 
AISSP  and  any  additional  requirements  initiated  by 
the  Customer.  This  security  awareness  training  will 
be  provided  prior  to  the  individual  being  granted 
access  to  the  classified  AIS  and  at  least  annually 
thereafter.  The  awareness  training  will  cover  the  fol¬ 
lowing  items  and  others  as  applicable: 

(1)  The  security  classifications  and  compartments 
accessible  to  the  user  and  the  protection  respon¬ 
sibilities  for  each.  If  the  user  is  a  privileged  user, 
discuss  additional  responsibilities  commensu¬ 
rate  with  those  privileges; 

(2)  Requirements  for  controlling  access  to  AISs 
(e.g,,  user  IDs,  passwords  and  password  secu¬ 
rity,  the  need-to-know  principle,  and  protecting 
terminal  screens  and  printer  output  from  unau¬ 
thorized  access); 

(3)  Methods  of  securing  unattended  AISs  such  as 
checking  print  routes,  logging  off  the  host  sys¬ 
tem  or  network,  and  turning  the  AIS  off; 

(4)  Techniques  for  securing  printers  such  as  remov¬ 
ing  latent  images  from  laser  drums,  cleaning 
platens,  and  locking  up  ribbons; 

(5)  Caution  against  the  use  of  government-spon¬ 
sored  computer  resources  for  unauthorized 
applications; 


8-7-1 


(6)  The  method  of  reporting  security-related  inci¬ 
dents  such  as  misuse,  violations  of  system  secu¬ 
rity,  unprotected  media,  improper  labeling, 
network  data  spillage,  etc.; 

(7)  Media  labeling,  including  classification  labels, 
data-descriptor  labels,  placement  of  labels  on 
media,  and  maintenance  of  label  integrity; 

(8)  Secure  methods  of  copying  and  verifying  media; 

(9)  Methods  of  safeguarding  media,  including  write 
protection,  removal  from  unattended  AISs,  and 
storage; 

(10)  Methods  of  safeguarding  hard-copy  output, 
including  marking,  protection  during  printing, 
and  storage; 

(1 1 )  Policy  on  the  removal  of  media; 

(12)  Methods  of  clearing  and  sanitizing  media; 

(13)  Procedures  for  destroying  and  disposing  of 
media,  printer  ribbons,  and  AIS  circuit  boards 
and  security  aspects  of  disposing  of  AISs; 


(14)  Methods  of  avoiding  viruses  and  other  mali¬ 
cious  code  including  authorized  methods  of 
acquiring  software,  examining  systems  regu¬ 
larly,  controlling  software  and  media,  and  plan¬ 
ning  for  emergencies.  Discuss  the  use  of 
recommended  software  to  protect  against 
viruses  and  steps  to  be  taken  when  a  virus  is  sus¬ 
pected; 

(15)  AIS  maintenance  procedures  including  the  steps 
to  be  taken  prior  to  AIS  maintenance  and  the 
user's  point-of-contact  for  AIS  maintenance 
matters; 

(16)  Any  special  security  requirements  with  respect 
to  the  user’s  AIS  environment  including  connec¬ 
tions  to  other  AIS  equipment  or  networks; 

(17)  The  use  of  personally  owned  electronic  devices 
within  the  SAPF; 

(18)  Any  other  items  needed  to  be  covered  for  the 
specific  Customer’s  program. 
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Chapter  9 
Restricted  Data 

Section  1.  Introduction 


9-100.  General.  This  chapter  of  the  NISPOMSUP 
addresses  those  supplemental  security  requirements  for 
SECRET  Restricted  Data  (SRD)  and  TOP  SECRET 
Restricted  Data  (TSRD)  information  which  have  been 
identified  as  being  sufficiently  sensitive  to  necessitate 
security  standards  above  and  beyond  those  mandated  by 
the  NISPOM  baseline  document.  Hereafter  these  are 
referred  to  as  Critical  SRD  or  TSRD.  CONFIDEN¬ 
TIAL  RD  and  all  classification  levels  of  Formerly 
Restricted  Data  shall  be  protected  in  accordance 
with  the  requirements  in  the  NISPOM  baseline  doc¬ 
ument  In  addition  to  those  requirements  in  Chapter  9 
of  the  NISPOM,  this  chapter  prescribes  the  supplemen¬ 
tal  requirements  for  the  protection  of  Critical  SRD  and 
TSRD  information.  Neither  the  NISPOM  nor  the  NIS¬ 
POMSUP  are  to  be  construed  to  apply  to  the  safeguard¬ 
ing  requirements  for  Special  Nuclear  Material,  Nuclear 
Explosive  Like  Assemblies,  or  Nuclear  Weapons. 

9-101.  Requirements.  Under  the  authority  of  the 
Atomic  Energy  Act  of  1954,  the  Secretary  of  Energy, 
using  his/her  authority  over  Restricted  Data,  may  issue 
orders,  guides,  and  manuals  concerning  protection  of 
Restricted  Data.  These  issuances  serve  as  the  basis  for 
government-wide  implementation  procedures.  How¬ 
ever,  these  procedures  of  other  agencies  have  not  been 
endorsed  by  DOE.  As  a  result  of  changes  in  the  world 
situation,  these  policy  issuances  are  currently  under 
review  by  the  Joint  DOE/DOD  Nuclear  Weapons  Infor¬ 
mation  Access  Authorization  Review  Group.  Until  the 
Reviev/  Group’s  recommendations  are  approved  as  pol¬ 
icy  by  the  Secretary  of  Energy,  DOD  contractors  will 
continue  to  protect  Critical  SRD  and  TSRD  in  accor¬ 
dance  with  established  contractual  provisions.  A  revi¬ 
sion  of  this  chapter  will  be  developed  and  promulgated 
following  the  results  of  the  Joint  DOE/DOD  Nuclear 
Weapons  Information  Access  Authorization  Review 
Group.  Nothing  in  this  paragraph  alters  or  abridges  the 
authority  of  the  Secretary  of  Energy  under  the  Atomic 
Energy  Act  of  1954,  as  amended.  DOD  contracts 
awarded  in  the  interim  period  dealing  with  the  physics 
of  nuclear  weapons  design,  as  specified  in  9-101. a 
through  9-101. i,  will  be  reviewed  by  technically  quali¬ 
fied  representatives  to  determine  if  the  contract  involves 
the  above  specified  Critical  SRD  or  TSRD  information. 


If  sOy  this  chapter's  requirements  will  be  included  in 
the  contractual  document  DOE  technical  experts  will 
be  available  to  provide  advice  and  assistance  upon 
request  by  contracting  agency  representative.  Should  the 
results  of  the  Joint  DOE/DOD  Nuclear  Weapons  Infor¬ 
mation  Access  Authorization  Review  Group  modify  the 
information  specified  in  9- 101. a  through  9-lOl.i,  the 
affected  contracts  may  be  amended.  For  DOE  contrac¬ 
tors,  Restricted  Data  will  continue  to  be  protected  in 
accordance  with  the  Department  of  Energy  *s  5600 
series  Safeguards  and  Security  orders  until  the 
Review  Group  ^s  recommendations  are  approved  as 
policy  by  the  Secretary  of  Energy  and  this  chapter  is 
revised  to  conform  to  the  new  policy. 

a.  Theory  of  operation  (hydrodynamic  and  nuclear)  or 
completed  design  of  thermonuclear  weapons  or  their 
unique  components.  This  definition  includes  specific 
information  about  the  relative  placement  of  compo¬ 
nents  and  their  functions  with  regard  to  initiating  and 
sustaining  the  thermonuclear  reaction. 

b.  Theory  of  operation  or  complete  design  of  fission 
weapons  or  their  unique  components.  This  defini¬ 
tion  includes  the  high  explosive  system  with  its  det¬ 
onators  and  firing  unit,  pit  system,  and  nuclear 
initiating  system  as  they  pertain  to  weapon  design 
and  theory. 

c.  Manufacturing  and  utilization  information  which 
reveals  the  theory  of  operation  or  design  of  the  phys¬ 
ics  package. 

d.  Information  concerning  inertial  confinement  fusion 
which  reveals  or  is  indicative  of  weapon  data. 

e.  Complete  theory  of  operation,  complete  or  partial 
design  information  revealing  sensitive  design  fea¬ 
tures  or  information  on  energy  conversion  of  a 
nuclear  directed  energy  weapon.  Sensitive  informa¬ 
tion  includes  but  is  not  limited  to  the  nuclear  energy 
converter,  energy  director,  or  other  nuclear  directed 
energy  system  or  components  outside  the  envelope 
of  the  nuclear  source  but  within  the  envelope  of  the 
nuclear  directed  energy  weapon. 
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f.  Manufacturing  and  utilization  information  and  out¬ 
put  characteristics  for  nuclear  energy  converters, 
directors,  or  other  nuclear  directed  energy  weapon 
systems  or  components  outside  the  envelope  of  the 
nuclear  source  and  which  do  not  comprehensively 
reveal  the  theory  of  operation,  sensitive  design  fea¬ 
tures  of  the  nuclear  directed  energy  weapon  or  how 
the  energy  conversion  takes  place. 

g.  Nuclear  weapon  vulnerability  assessment  informa¬ 
tion  concerning  use  control  systems  that  reveals  an 
exploitable  design  feature,  or  an  exploitable  system 
weakness  or  deficiency,  which  could  be  expected  to 
permit  the  unauthorized  use  or  detonation  of  a 
nuclear  weapon. 

h.  Detailed  design  and  functioning  information  of 
nuclear  weapon  use  control  systems  and  their  com¬ 
ponents.  Includes  actual  hardware  and  drawings  that 
reveal  design  or  theory  of  operation.  This  also 
includes  use  control  information  for  passive  and 
active  systems  as  well  as  for  disablement  systems. 

i.  Access  to  specific  categories  of  noise  and  quieting 
information,  fuel  manufacturing  technology  and 
broad  policy  or  program  direction  associated  with 
Naval  Nuclear  Propulsion  Plants  as  approved  by  the 
Naval  Nuclear  Propulsion  Program  CSA, 


9-102. 

a.  Contractors  shall  establish  protective  measures  for 
the  safeguarding  of  Critical  SRD  and  TSRD  in 
accordance  with  the  requirements  of  this  chapter. 
Where  these  requirements  are  not  appropriate  for 
protecting  specific  types  or  forms  of  material,  com¬ 
pensatory  provisions  shall  be  developed  and 
approved  by  the  CSA,  with  the  concurrence  of 
DOE,  as  appropriate.  Nothing  in  this  NISPOMSUP 
shall  be  construed  to  contradict  or  inhibit  compli¬ 
ance  with  the  law  or  building  codes. 

b.  Access  to  Restricted  Data  shall  be  limited  to  per¬ 
sons  who  possess  appropriate  access  authorization, 
or  PCL,  and  who  require  such  access  (need-to- 
know)  in  the  performance  of  official  duties  (i.e., 
have  a  verifiable  need-to-know).  For  access  to  TOP 
SECRET  Restricted  Data,  an  individual  must  pos¬ 
sess  an  active  Q  access  authorization,  or  a  final 
TOP  SECRET  PCL,  based  on  a  SSBI.  For  access 
to  Critical  SECRET  Restricted  Data,  as  defined  in 
9-lOl.a  through  9-lOl.i,  an  individual  must  pos¬ 
sess  an  active  Q  access  authorization,  or  final  TOP 
SECRET  or  SECRET  PCL,  based  on  a  SSBI. 
Controls  shall  be  established  to  detect  and  deter 
unauthorized  access  to  Restricted  Data 
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Section  2.  Secure  Working  Areas 


9-200.  Secure  Working  Areas. 

a.  General.  When  not  placed  in  approved  storage,  Criti¬ 
cal  SRD  and  TSRD  must  be  maintained  in  approved 
Secured  Working  Areas,  and  be  constantly  attended  to 
by,  or  under  the  control  of,  a  person  or  persons  having 
the  proper  access  authorization,  or  PCL,  and  a  need- 
to-know,  who  are  responsible  for  its  protection. 

b.  Requirements,  Secure  Working  Area  boundaries 
shall  be  defined  by  physical  barriers  (e.g.,  fences, 
walls,  doors).  Protective  personnel  or  other  measures 
shall  be  used  to  control  authorized  access  through 
designated  entry  portals  and  to  deter  unauthorized 
access  to  the  area.  A  personnel  identification  system 
(e.g.,  security  badge)  shall  be  used  as  a  control  mea¬ 
sure  when  there  are  more  than  30  persons  per  shift, 
Entrance/Exit  inspections  for  prohibited  articles  and/ 
or  Government  property  may  be  conducted  by  protec¬ 
tive  personnel.  When  access  to  a  Secure  Working 
Area  is  authorized  for  a  person  without  appropriate 
access  authorization  or  need-to-know,  measures  shall 
be  taken  to  prevent  compromise  of  .classified  matter. 
Access  to  safeguards  and  security  interests  within  a 
Secure  Working  Area,  when  not  in  approved  storage, 
is  controlled  by  the  custodian(s)  or  authorized  user(s). 
Means  shall  be  used  to  detect  unauthorized  intrusion 
appropriate  to  the  classified  matter  under  protection. 

9-201.  Barriers.  Physical  barriers  shall  be  used  to 
demarcate  the  boundaries  of  a  Secure  Working 
Area,  Permanent  barriers  shall  be  used  to  enclose 
the  area,  except  during  construction  or  transient 
activities,  when  temporary  barriers  may  be  erected. 
Temporary  barriers  may  be  of  any  height  and  material 
that  effectively  impede  access  to  the  area, 

a.  Walls.  Building  materials  shall  offer  penetration 
resistance  to,  and  evidence  of,  unauthorized 
entry  into  the  area.  Construction  shall  meet  local 
building  codes.  Walls  that  constitute  exterior  bar¬ 
riers  of  Security  Areas  shall  extend  from  the 
floor  to  the  structural  ceiling,  unless  equivalent 
means  are  used. 

(1)  When  transparent  glazing  material  is  used, 
visual  access  to  the  classified  material  shall 
be  prevented  by  the  use  of  drapes,  blinds,  or 
other  means. 


(2)  Insert-type  panels  (if  used)  shall  be  such  that 
they  cannot  be  removed  from  outside  the  area 
being  protected  without  showing  visual  evi¬ 
dence  of  tampering. 

b.  Ceilings  and  Floors.  Ceilings  and  floors  shall  be 
constructed  of  building  materials  that  offer  pene¬ 
tration  resistance  to,  and  evidence  of,  unautho¬ 
rized  entry  into  the  area.  Construction  shall  meet 
local  building  codes, 

c.  Doors.  Doors  and  door  jambs  shall  provide  the 
necessary  barrier  delay  rating  requL'\  by  the 
applicable  procedure.  As  a  minimum,  require¬ 
ments  shall  include  the  following: 

(1)  Doors  with  transparent  glazing  material  may 
be  used  if  visual  access  is  not  a  security  con¬ 
cern;  however,  they  shall  offer  penetration 
resistance  to,  and  evidence  of,  unauthorized 
entry  into  the  area, 

(2)  A  sight  baffle  shall  be  used  if  visual  access  is 
a  factor. 

(3)  An  astragal  shall  be  used  where  doors  used 
in  pairs  meet. 

(4)  Door  louvers,  baffle  plates,  or  astragals, 
when  used,  shall  be  reinforced  and  immov¬ 
able  from  outside  the  area  being  protected. 

d.  Windows.  The  following  requirements  shall  be 
applicable  to  windows: 

(1 )  When  primary  reliance  is  placed  on  windows 
as  physical  barriers,  they  shall  offer  penetra¬ 
tion  resistance  to,  and  evidence  of,  unautho¬ 
rized  entry  into  the  area, 

(2)  Frames  shall  be  securely  anchored  in  the 
walls,  and  windows  shall  be  locked  from  the 
inside  or  installed  in  fixed  (nonoperable) 
frames  so  the  panes  are  not  removable  from 
outside  the  area  being  protected, 

(3)  Visual  barriers  shall  be  used  if  visual  access 
is  a  factor. 
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e.  Unattended  Openings. 

(1)  Physical  protection  features  shall  be  imple- 
mented  at  all  locations  where  storm  sewers, 
drainage  swells,  and  site  utilities  intersect 
the  fence  perimeter. 

(2)  Unattended  openings  in  security  barriers, 
which  meet  the  following  criteria,  must 
incorporate  compensatory  measures  such  as 
security  bars:  greater  than  96  inches  square 


(619.20  square  centimeters)  in  area  and 
greater  than  6  inches  (15.24  centimeters)  in 
the  smallest  dimension;  and  located  within 
18  feet  (5.48  meters)  of  the  ground,  roof,  or 
ledge  of  a  lower  Security  Area;  or  located  14 
feet  (4.26  m)  diagonally  or  directly  opposite 
windows,  fire  escapes,  roofs,  or  other  open¬ 
ings  in  uncontrolled  adjacent  buildings;  or 
located  6  feet  (1.83  m)  from  uncontrolled 
openings  in  the  same  barrier. 
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Section  3.  Storage  Requirements 


9-300.  General.  Custodians  and  authorized  users  of 
Critical  SRD  and  TSRD  are  responsible  for  the  pro¬ 
tection  and  control  of  such  matter, 

9-301.  TSRD  Storage.  TOP  SECRET  Restricted  Data 
that  is  not  under  the  personal  control  of  an  authorized 
person  shall  be  stored  within  a  security  repository 
located  within  a  Secure  Working  Area  with  CSA 
approved  supplementary  protection  consistent  with 
Chapter  5-307, a  and  5-307, b  of  the  NISPOM  baseline. 
Authorized  repositories  are  as  follows: 

a.  In  a  locked,  General  Services  Administration- 
approved  security  container, 

b.  In  a  vault  or  vault-type  room, 

9-302.  Critical  SRD  Storage.  Critical  SRD  shall  be 
stored  in  a  manner  authorized  for  Top  Secret 
Restricted  Data  matter  or  in  one  of  the  following  ways: 

a.  In  a  locked  General  Services  Administration- 
approved  security  container  located  within  a 
Secure  Working  Area. 


b.  In  a  General  Services  Administration-approved 
security  container,  not  located  within  a  Secure 
Working  Area,  under  supplemental  protection  (Le,, 
intrusion  detection  system  protection  or  protective 
patrol), 

c.  In  a  steel  filing  cabinet,  not  meeting  General  Ser¬ 
vices  Administration  requirements,  but  approved 
for  use  prior  to  the  date  of  this  NISPOMSUP, 
which  may  continue  to  be  used  until  there  is  a 
need  for  replacement.  It  shall  be  equipped  with  a 
minimum  of  either  an  Underwriter  Laboratories 
Group  1,  built-in,  changeable  combination  lock  or 
a  lock  that  meets  Federal  Specification  FF-P-IIO 
^Padlock,  Changeable  Combination,  ”  Steel  filing 
cabinets  located  within  a  Secure  Working  Area 
shall  be  under  approved  supplemental  protection 
(Le,,  intrusion  detection  system  protection  or  pro¬ 
tective  patrol).  If  the  steel  filing  cabinet  is  not 
located  within  a  Secure  Working  Area,  it  shall  be 
under  intrusion  detection  system  protection. 
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Chapter  10 

International  Security  Requirements 


International  security  information  that  is  required  by  a 
SAP  or  is  SAP-related  will  conform  to  the  NISPOM  as 
directed  by  the  PSO. 
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Chapter  11 
Miscellaneous 

Section  1:  TEMPEST 


TEMPEST  Requirements.  When  compliance  with 
TEMPEST  standards  is  required  for  a  contract,  the 
GPM/PSO  will  issue  specific  guidance  in  accordance 
with  current  national  directives  that  afford  consideration 
to  realistic,  validated,  local  threats,  cost  effectiveness, 
and  zoning. 
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Section  2.  Government  Technical  Libraries 


SAP  information  will  not  be  sent  to  the  National 
Defense  Technical  Information  Center  or  the  U.S, 
Department  of  Energy  Office  of  Scientific  and  Tech¬ 
nical  Information. 
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Section  3.  Independent  Research  and  Development 


11-300.  General.  The  use  of  SAP  information  for  a 
contractor  Independent  Research  and  Development 
(IR&D)  effort  will  occur  only  with  the  specific  written 
permission  of  the  Contracting  Officer.  Procedures  and 
requirements  necessary  for  safeguarding  SAP  classi¬ 
fied  information  when  it  is  incorporated  in  a  contrac¬ 
tor's  IR&D  effort  will  be  coordinated  with  the  PSO. 

11-301.  Retention  of  SAP  Classified  Documents  Gen¬ 
erated  Under  IR&D  Efforts.  With  the  permission  of 
the  Contracting  Officer,  the  contractor  may  be  allowed 
to  retain  the  classified  material  generated  in  connection 


with  a  classified  IR&D  effort.  The  classified  documents 
may  be  required  to  be  sanitized.  If  necessary,  the  Gov¬ 
ernment  agency  will  provide  the  contractor  assistance  in 
sanitizing  the  material  to  a  collateral  or  unclassified 
level  (i.e.,  by  reviewing  and  approving  the  material  for 
release). 

11-302.  Review  of  Classified  IR&D  Efforts.  IR&D 
operations  and  documentation  that  contain  SAP  clas¬ 
sified  information  will  be  subject  to  review  in  the 
same  manner  as  other  SAP  classified  information  in 
the  possession  of  the  contractor. 


Section  4.  Operations  Security 


Special  Access  Programs  may  require  unique  Opera¬ 
tions  Security  (OPSEC)  plans,  surveys,  and  activities  to 
be  conducted  as  a  method  to  identify,  define,  and  pro¬ 
vide  countermeasures  to  vulnerabilities.  These  require¬ 
ments  may  be  made  part  of  the  contractual  provisions. 
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Section  5.  Counterintelligence  (Cl)  Support 


11-500.  Counterintelligence  (Cl)  Support  Analysis  of 
foreign  intelligence  threats  and  risks  to  Program  infor¬ 
mation,  material,  personnel,  and  activities  may  be 
undertaken  by  the  Government  Agency.  Resulting  infor¬ 
mation  that  may  have  a  bearing  on  the  security  of  a  SAP 
will  be  provided  by  the  Government  to  the  contractor 
when  circumstances  permit.  Contractors  may  use  Cl 
support  to  enhance  or  assist  security  planning  and  safe¬ 
guarding  in  pursuit  of  satisfying  contractual  obligations. 
Requests  should  be  made  to  the  PSO. 

11-501.  Countermeasures.  Security  countermeasures 
may  be  required  for  SAPs  to  protect  critical  information, 
assets,  and  activities.  When  OPSEC  countermeasures 


are  necessaiy,  they  will  be  made  a  part  of  the  contract 
provisions  and  cost  implementation  may  be  subject  to 
negotiation.  Countermeasures  may  be  active  or  passive 
techniques,  measures,  systems,  or  procedures  imple¬ 
mented  to  prevent  or  reduce  the  timely  effective  collec¬ 
tion  and/or  analysis  of  information  which  would  reveal 
intentions  or  capabilities  (e.g.,  traditional  security  pro¬ 
gram  measures,  electronic  countermeasures,  signature 
modification,  operational  and/or  procedural  changes, 
direct  attack  against  and  neutralization  of  threat  agents 
and/or  platforms,  etc.). 
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Section  6.  Decompartmentation,  Disposition,  and 
Technology  Transfer 


11-600.  Every  scientific  paper,  journal  article,  book, 
briefing,  etc.,  pertaining  to  a  SAP  and  prepared  by 
personnel  currently  or  previously  briefed  on  the  SAP 
that  is  proposed  for  publication  or  presentation  out¬ 
side  of  the  SAP  will  be  reviewed  by  the  PSO  and  a  Pro¬ 
gram-briefed  Public  Affairs  Officer  (PAO)  if  available. 
Any  release  -will  be  by  the  GPM.  Often  SAP-unique 
“tools”  such  as  models,  software,  technology,  and  facil¬ 
ities  may  be  valuable  to  other  SAPs.  Some  information, 
material,  technology,  or  components  may  not  be  indi¬ 
vidually  sensitive.  If  information  or  materials  can  be 
segregated  and  disassociated  from  the  SAP  aspects  of 
the  Program,  decompartmentation  and  release  of  the 
information  and/or  materials  may  be  approved  to  sup¬ 
port  U.S.  Government  activities.  The  information  and 
materials  proposed  for  release  will  remain  within  the 
Program  Security  Channels  until  authorized  for 
release. 

11-601.  Procedures.  The  following  procedures  apply  to 
the  partial  or  full  decompartmentation,  transfer  (either  to 
another  SAP  or  collateral  Program),  and  disposition  of 
any  classified  information,  data,  material(s),  and  hard¬ 
ware  or  software  developed  under  a  SAP  contract  or 
subcontract  (SCI  information  will  be  handled  within 
SCI  channels). 

a.  Decompartmentation.  Prior  to  decompartmenting 
any  classified  SAP  information  or  other  material(s) 
developed  within  the  Program,  the  CPSO  will 
obtain  the  written  approval  of  the  GPM.  Decom¬ 
partmentation  initiatives  at  a  Program  activity  will 
include  completion  of  a  Decompartmentation  or 
Transfer  Review  Format  Include  supporting  docu¬ 
mentation  that  will  be  submitted  through  the  PSO 


to  the  GPM.  Changes,  conditions  and  stipulations 
directed  by  the  GPM  will  be  adhered  to.  Approval  of 
Program  decompartmentation  and  all  subsequent 
transfers  will  be  in  writing. 

b.  Technology  Transfer.  Technologies  may  be  trans¬ 
ferred  through  established  and  approved  channels  in 
cases  where  there  would  be  a  net  benefit  to  the  U.S. 
Government  and  Program  information  is  not 
exposed  or  compromised.  The  Contracting  Officer  is 
the  approval  authority  for  technology  transfers. 

(1)  Contractor  Responsibilities.  CPSOs  will  ensure 
that  technologies  proposed  for  transfer  receive 
a  thorough  security  review.  The  review  will 
include  a  written  certification  that  all  class^ed 
items  and  unclassified  Program-sensitive 
information  have  been  redacted  from  the  mate¬ 
rial  in  accordance  with  sanitization  procedures 
authorized  by  the  GPM.  A  description  of  the 
sanitization  method  used  and  identification  of 
the  official  who  accomplished  the  redaction 
will  accompany  the  information  or  material(s) 
forwarded  to  the  GPM  for  review  and  approval 

(2)  Government  Responsibilities.  The  contracting 
officer’s  representative  (COR),  PSO,  and  GPM 
will  make  every  attempt  to  review  requests 
expeditiously.  Requests  will  be  submitted  at 
least  thirty  (30)  working  days  prior  to  the 
requested  release  date.  This  is  particularly 
important  when  requesting  approval  for  Pro¬ 
gram-briefed  personnel  to  make  non-Program 
related  presentations  at  conferences,  symposia, 
etc. 


11-6-1 


Section  7.  Other  Topics 


11-700.  Close-out  of  a  SAP.  At  the  initiation  of  a  con¬ 
tract  close-outf  termination  or  completion  of  the  con¬ 
tract  effort,  the  CPSO  will  consider  actions  for 
disposition  of  residual  hardware,  software,  documen¬ 
tation,  facilities,  and  personnel  accesses.  Security 
actions  to  close-out  Program  activities  will  prevent 
compromise  of  classified  Program  elements  or  other 
SAP  security  objectives.  The  contractor  may  be 
required  to  submit  a  termination  plan  to  the  Govern¬ 
ment  The  master  classified  material  accountability 
record  (log  or  register)  normally  will  be  transferred  to 
the  PSO  at  Program  close-out. 

11-  701.  Special  Access  Program  Secure  Communi¬ 
cations  Network.  SAPs  may  use  a  SAP  secure  commu¬ 
nications  and/or  data  network  linking  the  GPM  and/or 
contractors  with  associated  technical,  operational,  and 
logistic  support  activities  for  secure  communications. 


11-  702.  Patents.  Patents  involving  SAP  information 
will  be  forwarded  to  the  GPM/PSO  for  submission 
to  the  Patents  Office,  The  PSO  will  coordinate  with 
Government  attorneys  and  the  Patent  Office  for  sub¬ 
mission  of  the  patent. 

11- 703.  Telephone  Security.  The  PSO  will  determine 
the  controls,  active  or  inactive,  to  be  placed  on  telecom¬ 
munication  lines.  SAPFs  accredited  for  discussion  or 
electronic  processing  will  comply  with  DCID  1/21 
and  Telephone  Security  Group  (TSG)  standards  as 
determined  by  the  PSO. 


11-7-1 


Appendix  A 
Definitions 


Access  Approval  Authority.  Individual  responsible 
for  final  access  approval  and/or  denial  determination. 

Access  Roster.  A  database  or  listing  of  individuals 
briefed  to  a  special  access  program. 

Access  Termination.  The  removal  of  an  individual 
from  access  to  SAP  or  other  Program  information. 

Accrediting  Authority.  A  Customer  official  who  has 
the  authority  to  decide  on  accepting  the  security  safe¬ 
guards  prescribed  or  who  is  responsible  for  issuing  an 
accreditation  statement  that  records  the  decision  to 
acccept  those  safeguards. 

Acknowledged  Special  Access  Program.  A  SAP 

whose  existence  is  publicly  acknowledged. 

Acquisition  Special  Access  Program  (AQ-SAP).  A 
special  access  program  established  primarily  to  protect 
sensitive  research,  development,  testing,  and  evaluation 
(RDT&E)  or  procurement  activities  in  support  of  sensi¬ 
tive  military  and  intelligence  requirements. 

Agent  of  the  Government  A  contractor  employee 
designated  in  writing  by  the  Government  Contracting 
Officer  who  is  authorized  to  act  on  behalf  of  the  Gov¬ 
ernment. 

Authentication,  a.  To  establish  the  validity  of  a 
claimed  identity,  b.  To  provide  protection  against  fraud¬ 
ulent  transactions  by  establishing  the  validity  of  mes¬ 
sage,  station,  individual,  or  originator. 

Automated  Information  System  (AIS).  A  generic 
term  applied  to  all  electronic  computing  systems.  AISs 
are  composed  of  computer  hardware  (i.e.,  automated 
data  processing  (ADP)  equipment  and  associated 
devices  that  may  include  communication  equipment), 
firmware,  operating  systems,  and  other  applicable  soft¬ 
ware.  AISs  collect,  store,  process,  create,  disseminate, 
communicate,  or  control  data  or  information. 

Billets.  A  determination  that  in  order  to  meet  need-to- 
know  criteria,  certain  SAPs  may  elect  to  limit  access  to 
a  predetermined  number  of  properly  cleared  employees. 
Security  personnel  do  not  count  against  the  billet  sys¬ 
tem. 


Boundary.  The  boundary  of  an  AIS  or  network 
includes  all  users  that  are  directly  or  indirectly  con¬ 
nected  and  who  can  receive  data  from  the  system  with¬ 
out  a  reliable  human  review  by  an  appropriately  cleared 
authority. 

Certification.  A  statement  to  an  accrediting  authority 
of  the  extent  to  which  an  AIS  or  network  meets  its  secu¬ 
rity  criteria.  This  statement  is  made  as  part  of  and  in 
support  of  the  accreditation  process. 

Clearing.  The  removal  of  information  from  the  media 
to  facilitate  continued  use  and  to  prevent  the  AIS  system 
from  recovering  previously  stored  data.  However,  the 
data  may  be  recovered  using  laboratory  techniques. 
Overwriting  and  degaussing  are  acceptable  methods  of 
clearing  media. 

Codeword.  A  single  classified  word  assigned  to  repre¬ 
sent  a  specific  SAP  or  portions  thereof. 

Collateral  Information.  Collateral  information  is 
National  Security  Information  created  in  parallel  with 
Special  Access  Information  under  the  Provisions  of 
E.O.  12356  (et  al)  but  which  is  not  subject  to  the  added 
formal  security  protection  required  for  Special  Access 
Information  (stricter  access  controls,  need-to-know, 
compartmentation,  stricter  physical  security  standards, 
etc). 

Compelling  Need.  A  requirement  for  immediate 
access  to  special  program  information  to  prevent  failure 
of  the  mission  or  operation  or  other  cogent  reasons. 

Contractor  Program  Security  Officer  (CPSO).  An 
individual  appointed  by  the  contractor  who  performs  the 
security  duties  and  functions  for  Special  Access  Pro¬ 
grams. 

Contractor  Program  Manager  (CPM).  A  contrac¬ 
tor-designated  individual  who  has  overall  responsibility 
for  all  aspects  of  a  Program. 

Counterintelligence  Awareness.  A  state  of  being 
aware  of  the  sensitivity  of  classified  information  one 
possesses,  collaterally  aware  of  the  many  modes  of 
operation  of  hostile  intelligence  persons  and  others 
whose  interests  are  inimical  to  the  United  States  while 
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being  able  to  recognize  attempts  to  compromise  one's 
information,  and  the  actions  one  should  take,  when  one 
suspects  he  has  been  approached,  to  impart  the  neces¬ 
sary  facts  to  trained  counterintelligence  personnel. 

Customer.  The  Government  organization  that  sponsors 
the  processing. 

Data  Integrity,  a.  The  state  that  exists  when  computer¬ 
ized  data  is  the  same  as  that  in  the  source  documents  and 
has  not  been  exposed  to  accidental  or  malicious  alter¬ 
ation  or  destruction,  b.  The  property  that  data  has  not 
been  exposed  to  accidental  or  malicious  alteration  or 
destruction. 

Debriefing.  The  process  of  informing  a  person  his 
need-to-know  for  access  is  terminated. 

Declassification  (Media).  An  administrative  step  that 
the  owner  of  the  media  takes  when  the  classification  is 
lowered  to  UNCLASSIFIED.  The  media  must  be  prop¬ 
erly  sanitized  before  it  can  be  downgraded  to  UNCLAS¬ 
SIFIED. 

Degauss,  a.  To  reduce  the  magnetization  to  zero  by 
applying  a  reverse  (coercive)  magnetizing  force,  com¬ 
monly  referred  to  as  demagnetizing,  or  b.  To  reduce  the 
correlation  between  previous  and  present  data  to  a  point 
that  there  is  no  known  technique  for  recovery  of  the  pre¬ 
vious  data. 

Degausser.  An  electrical  device  or  hand-held  perma¬ 
nent  magnet  assembly  that  generates  a  coercive  mag¬ 
netic  force  for  degaussing  magnetic  storage  media  or 
other  magnetic  material. 

Degaussing  (Demagnetizing).  Procedure  using  an 
approved  device  to  reduce  the  magnetization  of  a  mag¬ 
netic  storage  media  to  zero  by  applying  a  reverse  (coer¬ 
cive)  magnetizing  force  rendering  any  previously  stored 
data  unreadable  and  unintelligible. 

Digraph  and/or  Trigraph.  A  two  and/or  three-letter 
acronym  for  the  assigned  Codeword  or  nickname. 

Disclosure  Record.  A  record  of  names  and  dates  of 
initial  access  to  any  Program  information. 

e.g.  For  example  (exempli  gratia). 

Eligibility.  A  determination  that  a  person  meets  person¬ 
nel  security  standards  for  access  to  Program  material. 


EPROM.  A  field-programmable  read-only  memoiy 
that  can  have  the  data  content  of  each  memory  cell 
altered  more  than  once.  An  EPROM  is  bulk-erased  by 
exposure  to  a  high-intensity  ultraviolet  light.  Sometimes 
referred  to  as  a  reprogrammable  read-only  memory. 

EEPROM,  Abbreviation  for  electrically  erasable  pro¬ 
grammable  read-only  memory.  These  devices  are  fabri¬ 
cated  in  much  the  same  way  as  EPROMs  and,  therefore, 
benefit  from  the  industry's  accumulated  quality  and  reli¬ 
ability  experience.  As  the  name  implies,  erasure  is 
accomplished  by  introducing  electrical  signals  in  the 
form  of  pulses  to  the  device,  rather  than  by  exposing  the 
device  to  ultraviolet  light.  Similar  products  using  a 
nitride  NMOS  process  are  termed  EAROMS  (for  elec¬ 
trically  alterable  read-only  memory). 

Government  Program  Manager  (GPM).  The  senior 
Government  Program  official  who  has  ultimate  respon¬ 
sibility  for  all  aspects  of  the  Program. 

i.e.  That  is  (id  est). 

Inadvertent  Disclosure.  A  set  of  circumstances  or  a 
security  incident  in  which  a  person  has  had  involuntary 
access  to  classified  information  to  which  the  individual 
was  or  is  not  normally  authorized. 

Indoctrination.  An  initial  indoctrination  and/or 
instruction  provided  each  individual  approved  to  a  SAP 
prior  to  his  exposure  concerning  the  unique  nature  of 
Program  information  and  the  policies,  procedures,  and 
practices  for  its  handling. 

Information  Systems  Security  Representative 
(ISSR).  The  Provider-assigned  individual  responsible 
for  the  on-site  security  of  the  AIS(s)  processing  infor¬ 
mation  for  the  Customer. 

Joint  Use  Agreement.  A  written  agreement  signed  by 
two  or  more  accrediting  authorities  whose  responsibility 
includes  information  processed  on  a  common  AIS  or 
network.  Such  an  agreement  defines  a  cognizant  secu¬ 
rity  authority  and  the  security  arrangements  that  will 
govern  the  operation  of  the  network. 

Memorandum  of  Agreement  (MOA).  An  agreement, 
the  terms  of  which  are  delineated  and  attested  to  by  the 
signatories  thereto.  MOA  &  MOU  (Memorandum  of 
Understanding)  are  used  interchangeably. 
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Network,  A  computing  environment  with  more  than 
one  independent  processor  interconnected  to  permit 
communications  and  sharing  of  resources. 

Nicknames.  A  combination  of  two  separate  unclassi¬ 
fied  words  assigned  to  represent  a  specific  SAP  or  por¬ 
tion  thereof. 

Nonvolatile  Memory  Components.  Memory  compo¬ 
nents  that  do  retain  data  when  all  power  sources  are  dis¬ 
connected. 

Object  Reuse.  The  reassignment  to  some  subject  of  a 
medium  (e.g.,  page  frame,  disk  sector,  magnetic  tape) 
that  contained  one  or  more  objects.  To  be  securely  reas¬ 
signed,  such  media  will  contain  no  residual  data  from 
the  previously  contained  object(s). 

Office  Information  System  (OIS).  An  OIS  is  a  spe¬ 
cial  purpose  AIS  oriented  to  word  processing,  electronic 
mail,  and  other  similar  office  functions.  An  OIS  is  nor¬ 
mally  comprised  of  one  or  more  central  processing 
units,  control  units,  storage  devices,  user  terminals,  and 
interfaces  to  connect  these  components. 

Overwrite  (Re-recording)  Verification.  An  approved 
procedure  to  review,  display,  or  check  the  success  of 
an  overwrite  procedure,  or  b.  The  successful  testing 
and  documentation  through  hardware  and  random 
hard-copy  readout  of  the  actual  overwritten  memory 
sectors. 

Perimeter.  The  perimeter  of  an  AIS  or  network  is  the 
extent  of  the  system  that  is  to  be  accredited  as  a  single 
system. 

Peripheral  Devices.  Any  device  attached  to  the  net¬ 
work  that  can  store,  print,  display,  or  enhance  data  (e.g., 
disk  and/or  tape,  printer  and/or  plotter,  an  optical  scan¬ 
ner,  a  video  camera,  a  punched-card  reader,  a  monitor, 
or  card  punch). 

Personal  Computer  System  (PC).  A  PC  is  a  system 
based  on  a  microprocessor  and  comprised  of  internal 
memory  (ROMs  and  RAMs),  input  and/or  output,  and 
associated  circuitry.  It  typically  includes  one  or  more 
read/write  device(s)  for  removable  magnetic  storage 
media  (c.g.,  floppy  diskettes,  tape  cassettes,  hard  disk 
cartridges),  a  keyboard,  CRT  or  plasma  display,  and  a 
printer.  It  is  easily  transported  and  is  primarily  used  on 
desk  tops  for  word  processing,  database  management,  or 
engineering  analysis  applications. 

Program  Access  Request  (PAR).  A  formal  request 
used  to  nominate  an  individual  for  Program  access. 


Program  Channels  or  Program  Security  Channels. 

A  method  or  means  expressly  authorized  for  the  han¬ 
dling  or  transmission  of  classified  or  unclassified  SAP 
information  whereby  the  information  is  provided  to 
indoctrinated  persons. 

Program  Executive  Agent  The  highest  ranking  mili¬ 
tary  or  civilian  individual  charged  with  direct  respons¬ 
ibility  for  the  Program  and  usually  appoints  the 
Government  Program  Manager. 

Program  Material.  Program  material  and  information 
describing  the  service(s)  provided,  the  capabilities 
developed,  or  the  item(s)  produced  under  the  SAP. 

Program  Security  Officer  (PSO).  The  Government 
official  who  administers  the  security  policies  for  the 
SAP. 

Program  Sensitive  Information.  Unclassified  infor¬ 
mation  that  is  associated  with  the  Program.  Material  or 
information  that,  while  not  directly  describing  the  Pro¬ 
gram  or  aspects  of  the  Program,  could  indirectly  dis¬ 
close  the  actual  nature  of  the  Program  to  a  non- 
Program-briefed  individual. 

Provider.  The  Contractor  or  Government-support  orga¬ 
nization  (or  both)  that  provides  the  process  on  behalf  of 
the  Customer. 

Sanitizing.  The  removal  of  information  from  the  media 
or  equipment  such  that  data  recovery  using  any  known 
technique  or  analysis  is  prevented.  Sanitizing  shall 
include  the  removal  of  data  from  the  media,  as  well  as 
the  removal  of  all  classified  labels,  markings,  and  activ¬ 
ity  logs.  Properly  sanitized  media  may  be  subsequently 
declassified  upon  observing  the  organization’s  respec¬ 
tive  verification  and  review  procedures. 

Secure  Working  Area.  An  accredited  facility  or  area 
that  is  used  for  handling,  discussing  and/or  processing, 
but  not  storage  of  SAP  information. 

Security  level.  A  clearance  or  classification  and  a  set  of 
designators  of  special  access  approvals;  i.e.,  a  clearance 
and  a  set  of  designators  of  special  access  approval  or  a 
classification  and  a  set  of  such  designators,  the  former 
applying  to  a  user,  the  latter  applying,  for  example,  to  a 
computer  object. 

Security  Policy.  The  set  of  laws,  rules,  and  practices 
that  regulate  how  an  organization  manages,  protects, 
and  distributes  sensitive  information.  A  complete  secu¬ 
rity  policy  will  necessarily  address  many  concerns 
beyond  the  scope  of  computers  and  communications. 
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Security  Profile.  The  approved  aggregate  of  hardware/ 
software  and  administrative  controls  used  to  protect  the 
system. 

Security  Testing.  A  process  used  to  determine  that  the 
security  features  of  a  system  are  implemented  as 
designed  and  that  they  are  adequate  for  a  proposed 
application  environment.  This  process  includes  hands- 
on  functional  testing,  penetration  testing,  and  verifica¬ 
tion.  See  also:  Functional  Testing,  Penetration  Testing, 
Verification. 

Sensitivity  Label.  A  collection  of  information  that  rep¬ 
resents  the  security  level  of  an  object  and  that  describes 
the  sensitivity  of  the  data  in  the  object  A  sensitivity  label 
consists  of  a  sensitivity  level  (classification  and  compart¬ 
ments)  and  other  required  security  markings  (e.g..  Code¬ 
words,  handling  caveats)  to  be  used  for  labeling  data. 

Sensitive  Activities.  Sensitive  activities  are  special 
access  or  Codeword  programs,  critical  research  and 
development  efforts,  operations  or  intelligence  activi¬ 
ties,  special  plans,  special  activities,  or  sensitive  support 
to  the  customer  or  customer  contractors  or  clients. 

Sensitive  Compartmented  Information  (SCI).  SCI 

is  classified  information  concerning  or  derived  from 
intelligence  sources  and  methods  or  analytical  processes 
that  is  required  to  be  handled  within  a  formal  control 
system  established  by  Director  of  Central  Intelligence. 

Sensitive  Compartmented  Information  Facility 
(SCIF).  SCIF  is  an  area,  room(s),  building  installation 
that  is  accredited  to  store,  use,  discuss,  or  electronically 
process  Sensitive  Compartmented  Information  (SCI). 
The  standards  and  procedures  for  a  SCIF  are  stated  in 
DCIDs  1/19  and  1/21. 

Special  Access  Program  Facility  (SAPF).  A  specific 
physical  space  that  has  been  formally  accredited  in  writ¬ 
ing  by  the  cognizant  PSO  which  satisfies  the  criteria  for 
generating,  safeguarding,  handling,  discussing,  and  stor¬ 
ing  CLASSIFIED  and/or  UNCLASSIFIED  Program 
information,  hardware,  and  materials. 

Special  Program  Document  Control  Center.  The 

component’s  activity  assigned  responsibility  by  the 
ISSR  for  the  management,  control,  and  accounting  of  all 
documents  and  magnetic  media  received  or  generated  as 
a  result  of  the  special  program  activity. 

Stand-Alone  AIS.  A  stand-alone  AIS  may  include 
desktop,  laptop,  and  notebook  personal  computers,  and 
any  other  hand-held  electronic  device  containing  classi¬ 
fied  information.  Stand-alone  AISs  by  definition  are  not 
connected  to  any  LAN  or  other  type  of  network. 


System.  An  assembly  of  computer  and/or  communica¬ 
tions  hardware,  software,  and  firmware  configured  for  the 
purpose  of  classifying,  sorting,  calculating,  computing, 
summarizing,  transmitting  and  receiving,  storing,  and 
retrieving  data  with  a  minimum  of  human  intervention. 

Trigraph.  (See  Digraph  and/or  Trigraph.) 

Trojan  Horse.  A  computer  program  with  an  apparently 
or  actually  useful  function  that  contains  additional  (hid¬ 
den)  functions  that  surreptitiously  exploit  the  legitimate 
authorizations  of  the  invoking  process  to  the  detriment 
of  security  (for  example,  making  a  "blind  copy"  of  a 
sensitive  file  for  the  creator  of  the  Trojan  horse). 

Trusted  Computer  System.  A  system  that  employs 
sufficient  hardware  and  software  integrity  measures  to 
allow  its  use  for  processing  simultaneously  a  range  of 
sensitive  or  classified  information. 

Trusted  Path.  A  mechanism  by  which  a  person  at  a  ter¬ 
minal  can  communicate  directly  with  the  trusted  com¬ 
puting  base.  This  mechanism  can  only  be  activated  by 
the  person  or  the  trusted  computing  base  and  cannot  be 
imitated  by  untrusted  software. 

Two-Person  Integrity.  A  provision  that  prohibits  one 
person  from  working  alone. 

Unacknowledged  Special  Access  Program.  A  SAP 
with  protective  controls  that  ensures  the  existence  of  the 
Program  is  not  acknowledged,  affirmed,  or  made  known 
to  any  person  not  authorized  for  such  information.  All 
aspects  (e.g.,  technical,  operational,  logistical,  etc.)  are 
handled  in  an  unacknowledged  manner. 

Users.  Any  person  who  interacts  directly  with  an  AIS 
or  a  network  system.  This  includes  both  those  persons 
who  are  authorized  to  interact  with  the  system  and  those 
people  who  interact  without  authorization  (e.g.,  active 
or  passive  wiretappers). 

Vendor.  The  manufacturer  or  sellers  of  the  AIS  equip¬ 
ment  and/or  software  used  on  the  special  program. 

Virus.  Malicious  software.  A  form  of  Trojan  horse  that 
reproduces  itself  in  other  executable  code. 

Volatile  Memory  Components.  Memory  components 
that  do  not  retain  data  after  removal  of  all  electrical 
power  sources  and  when  reinserted  into  a  similarly  con¬ 
figured  AIS  do  not  contain  residual  data. 

Workstation.  A  high-performance,  microprocessor- 
based  platform  that  uses  specialized  software  applicable 
to  the  work  environment. 
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Appendix  B 
AIS  Acronyms 


Many  computer  security-related  acronyms  are  used  in  this  Supplement.  These  acronyms,  after  first  being 
defined,  are  used  throughout  this  document  to  reduce  its  length.  The  acronyms  used  in  this  document  are  defined 
below: 


AIS  Automated  Information  System 

AISSP  AIS  Se^  urity  Plan 


CM 

CCB 

CPU 

CRT 

CSA 


Configuration  Management 

Configuration  Control  Board 

Central  Processing  Unit 

Cathode  Ray  Tube  (Monitor  Screen  Tube) 

Cognizant  Security  Agency  (Customer) 


DAC 

DCID 

DoD 


Discretionary  Access  Control 
Director  of  Central  Intelligence  Directive 
Department  of  Defense 


E.O. 

EPROM 

EAPROM 

EEPROM 


Executive  Order 

Erasable  Programmable  Read-Only  Memory 
Electrically  Alterable  Programmable  Read-Only  Memory 
Electrically  Erasable  Programmable  Read-Only  Memory 


I/O  Input  and/or  Output 

ISSR  Information  System  Security  Representative 


K 


Thousand  (kilo) 


LAN  Local  Area  Network 

LOGON  Log  On 


MAC  Mandatory  Access  Control 

MODEM  Modulator  and/or  Demodulator 


NCSC  National  Computer  Security  Center 

NSA  National  Security  Agency 


OMB 


Office  of  Management  and  Budget 


PC  Personal  Computer  (i.e.,  desktop,  laptop,  notebook,  or  hand-held  computer) 

PL  Public  Law 

PROM  Programmable  Read-Only  Memory 


RAM  Random  Access  Memory 

ROM  Read  Only  Memory 


SAN 

SAP 

SAPF 


Separately  Accredited  Network 
Special  Access  Program 
Special  Access  Program  Facility 
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SCI 

Sensitive  Compartmented  Information 

STD 

Standard 

TS 

Top  Secret 

USERID 

User  Identification 

Appendix  C 
AISSP  Outline 

This  outline  provides  the  basis  for  preparing  an  AIS  Security  Plan  (AISSP).  The  annotated  outline,  with 
prompts  and  instructions,  will  assist  ISSRs  in  preparing  a  plan  that  includes  necessary  overviews,  descriptions, 
listings,  and  procedures.  It  will  also  assist  in  covering  the  requirements  contained  in  this  NISPOM  Supplement. 
In  preparing  the  AISSP,  any  information  that  does  not  appropriately  fit  under  a  subtitle  may  be  placed  under  a 
main  title.  For  example,  a  hardware  list  or  references  to  a  hardware  list  will  be  placed  under  the  4.0  AIS  HARD¬ 
WARE  heading.  For  changes  to  an  existing  plan  that  do  not  require  revision  of  the  entire  plan,  provide  name  and 
date  of  the  plan  to  be  modified,  date  of  changes  on  each  page,  and  cross  reference  to  the  plan’s  applicable  para¬ 
graph  numbers.  (For  changes,  only  the  change  pages  with  the  applicable  plan  name  and  date  need  to  be  sent  to 
the  CSA.) 
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INTRODUCTION 


This  section  will  describe  the  purpose  and  scope  of  the  AISSP.  It  may  include  any  topic  intended  to  help 
the  reader  understand  and  appreciate  the  purpose  of  the  AISSP.  Pertinent  background  information  may 
also  be  presented  to  provide  clarity. 


Security  Administration. 


Provide  the  name  and  date  of  this  plan  and  indicate  whether  it  is  an  original  or  revised  plan. 

Specify  the  cognizant  Customer  Program  Office  whose  activity  the  AIS  will  support  and  the  contract 
number(s),  if  applicable. 


Specify  the  Providers  name  and  address.  Identify  the  location  of  the  AIS  equipment  (including  the 
building  and  room  numbers(s)). 

Provide  the  names  of  the  Provider's  program  manager,  ISSR,  alternate(s).  Also  provide  their  secure  and 
unsecure  telephone  numbers  and  their  normal  office  hours. 

Provide  an  organizational  structure  showing  the  name  and  title  of  all  security  management  levels  above 
the  ISSR. 


Provide  joint-use  information  if  applicable. 


Purpose  and  Scope. 

The  plan  will  describe  how  the  Provider  will  manage  the  security  of  the  system.  Describe  the  purpose 
and  scope  of  this  AIS. 


SAPF  DESCRIPTION. 

This  section  will  provide  a  physical  overview  of  the  AIS  SAPF  (including  its  surroundings)  that  is  used 
to  secure  the  Customer's  program  activities.  It  will  include  information  about  the  secure  environment 
required  to  protect  the  AIS  equipment,  software,  media,  and  output. 


Physical  Environment. 

State  whether  the  SAPF  is  accredited  or  approved  to  process  and  store  classified  information,  who 
accredited  or  approved  it,  the  security  level,  and  when  approved.  State  whether  the  SAPF  is  approved  for 
open  or  closed  storage. 

Specify  whether  the  storage  approval  is  for  hard  disk  drives,  diskettes,  tapes,  printouts,  or  other  items. 
State  whether  the  approval  includes  unattended  processing. 


Floor  Layout. 

Provide  a  floor  plan  showing  the  location  of  AIS  equipment  and  any  protected  wire  lines.  (This  may  be 
included  in  a  referenced  appendix.)  The  building  and  room  number(s)  will  match  the  information  pro- 
vided  in  the  hardware  listing  (see  4.0), 


SAPF  Access. 


Describe  procedures  for  controlling  access  to  the  AIS(s)  to  include:  after  hours  access,  personnel  access 
controls,  and  procedures  for  providing  access  to  uncleared  visitors  (e.g.,  admitting,  sanitizing  area, 
escorting). 


TEMPEST. 

If  applicable,  describe  TEMPEST  countermeasures. 


AIS  DESCRIPTION 

This  section  will  provide  a  detailed  description  of  the  system  and  describe  its  security  features  and 
assurances. 

Describe  variances  and  exceptions. 


General  Information 

Provide  a  system  overview  and  description. 

Specify  clearance  level,  formal  access  (if  appropriate),  and  need-to-know  requirements  that  are  being 
supported. 

Identify  the  data  to  be  processed  including  classification  levels,  compartments,  and  special  handling 
restrictions  that  are  relevant. 

State  the  mode  of  operations. 

Indicate  the  AIS’s  usage  (in  percent)  that  will  be  dedicated  to  the  Customer's  activity  (e.g,  periods  pro- 
cessing). 

Configuration  and  Connectivity. 

Specify  whether  the  AIS  is  to  operate  as  a  stand-alone  system,  as  a  terminal  connected  to  a  mainframe, 
or  as  a  network. 

Describe  how  the  AIS  or  network  is  configured.  If  a  network,  specify  whether  it  is  a  unified  network  or 
interconnected  network.  Describe  the  security  support  structure  and  identify  any  specialized  security 
components  and  their  role. 

Identify  and  describe  procedures  for  any  connectivity  to  the  AIS(s).  Indicate  whether  the  connections 
are  to  be  classified  or  unclassified  systems. 

Provide  a  simplified  block  diagram  that  shows  the  logical  connectivity  of  the  major  components  (this 
may  be  shown  on  the  floor  layout  if  necessary-see  2.2).  For  AISs  operating  in  the  compartmented  or 
multilevel  modes  an  information  flow  diagram  will  be  provided. 

If  applicable,  discuss  the  separations  of  classified  and  unclassified  AISs  within  the  SAPF. 

Indicate  whether  the  AIS  is  configured  with  removable  or  nonremovable  hard  disk  drives. 


Describe  the  configuration  management  program.  Describe  the  procedures  to  ensure  changes  to  the  AIS 
require  prior  coordination  with  the  ISSR. 


33  User  Access  and  Operation. 

Describe  the  AIS  operation  start-up  and  shut-down  (mode  termination).  Provide  any  unique  equipment 
clearing  procedures. 

Discuss  all  AIS  user  access  control  (e.g.,  log-on  ID,  passwords,  file  protection,  etc.). 

Identify  the  number  of  system  users  and  the  criteria  used  to  determine  privileged  access. 

If  the  mode  is  other  than  dedicated,  discuss  those  mechanisms  that  implement  DAC  and  MAC  controls. 

Discuss  procedures  for  the  assignment  and  distribution  of  passwords,  their  frequency  of  change,  and  the 
granting  of  access  to  information  and/or  files. 

Indicate  whether  AIS  operation  is  required  24  hours  per  day. 

Discuss  procedures  for  after  hours  processing.  State  whether  the  AIS(s)  are  approved  for  unattended 
processing. 

Discuss  procedures  for  marking  and  controlling  AIS  printouts. 

Discuss  remote  access  and  operations  requiring  specific  approval  by  the  CSA. 

Discuss  procedures  for  incident  reporting. 

3.4  Audit  Trails. 

If  applicable,  discuss  the  audit  trails  used  to  monitor  user  access  and  operation  of  the  AIS  and  the  infor¬ 
mation  that  is  recorded  in  the  audit  trail.  State  whether  user  access  audit  trails  are  manual  or  automatic. 

Identify  the  individual  who  will  review  audit  trails  and  how  often. 

Describe  procedures  for  handling  discrepancies  found  during  audit  trails  reviews. 


4.0  AIS  HARDWARE 

This  section  will  describe  the  AIS  hardware  that  supports  the  Customer's  program.  This  section  will  pro¬ 
vide  a  listing  of  the  AIS  hardware  and  procedures  for  its  secure  control,  operation,  and  maintenance. 

Provide  a  complete  listing  of  the  major  hardware  used  to  support  the  Customer's  program  activities.  This 
list  may  be  in  tabular  form  located  either  in  this  section  or  a  referenced  appendix.  The  following  infor¬ 
mation  is  required  for  all  major  AIS  hardware:  nomenclature,  model,  location  (i.e.,  building/room  num¬ 
ber),  and  manufacturer. 

Provide  a  description  of  any  custom-built  AIS  hardware. 

Indicate  whether  the  AIS  hardware  has  volatile  or  nonvolatile  memory  components.  Specifically,  iden¬ 
tify  components  that  are  nonvolatile. 
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If  authorized,  describe  procedures  for  using  portable  devices  for  unclassified  processing. 
Identify  the  custodian(s)  for  AISs, 


4.1  Labeling  Hardware. 

Describe  how  the  AIS  hardware  will  be  labeled  to  identify  its  classification  level  (e.g.,  classified  and 
unclassified  AISs  collocated  in  the  same  secure  area). 

4.2  Maintenance  Procedures. 

Describe  the  maintenance  and  sanitization  procedures  to  be  used  for  maintenance  or  repair  of  defective 
AIS  hardware  by  inappropriately  cleared  personnel. 

4.3  Hardware  Sanitization  and  Destruction, 

Describe  the  procedures  or  methods  used  to  sanitize  and  or  destroy  AIS  hardware  (volatile  or  nonvola¬ 
tile  components). 

4.4  Hardware  Movement. 

Describe  the  procedures  or  receipting  methods  used  to  release  and  transport  the  AIS  hardware  from  the 
SAPF. 

Describe  the  procedures  or  receipting  methods  for  temporarily  or  permanently  relocating  the  AIS  hard¬ 
ware  within  the  SAPF. 

Describe  the  procedures  for  introducing  hardware  into  the  SAPF. 

4.5  Hardware  Control  and  Audit  Trails, 

Describe  all  AIS  hardware  maintenance  logs,  the  information  recorded  on  them,  who  is  responsible  for 
reviewing  them,  and  how  often. 

5.0  AIS  SOFTWARE 

This  section  will  provide  a  listing  of  ail  the  software  that  supports  the  Customer’s  program.  It  will  also 
provide  procedures  for  protecting  and  using  this  software. 

5,1  Authorized  Software. 

Provide  a  complete  listing  of  all  software  used  to  support  the  Customer’s  program  activities.  This  list 
may  be  in  tabular  form  and  may  be  located  either  in  the  section  or  in  a  referenced  appendix.  The  listing 
will  also  include  security  software  (e.g.,  audits  software,  anti-virus  software),  special-purpose  software 
(e.g.,  in-house,  custom,  commercial  utilities),  and  operating  system  software.  The  following  information 
is  required  for  AIS  software:  software  name,  version,  manufacturer,  and  intended  use  or  function. 
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Software  Procedures. 


Indicate  whether  a  separate  unclassified  version  of  the  operating  system  software  will  be  used  for  main¬ 
tenance. 

Describe  the  procedures  for  procuring  and  introducing  new  AIS  software  to  support  program  activities. 
Describe  the  procedures  for  evaluating  AIS  software  for  security  impacts. 

Describe  procedures  for  protecting  software  from  computer  viruses  and  malicious  code  and  for  reporting 
incidents. 

DATA  STORAGE  MEDIA 

This  section  provides  a  description  of  the  types  of  data  storage  media  to  be  used  in  the  Customer’s  pro¬ 
gram  and  their  control. 

Labeling  and  Storing  Media. 

Describe  how  the  data  storage  media  will  be  labeled  (identify  the  classification  level  and  contents). 

Discuss  how  classified  and  unclassified  data  storage  media  is  handled  and  secured  in  the  SAPF  (e.g., 
safes,  vaults,  locked  desk). 

Media  Clearing,  Sanitization,  and  Destruction. 

Describe  the  procedures  or  methods  used  to  clear,  sanitize,  and  destroy  the  data  storage  media. 

Media  Movement. 

Describe  the  procedures  (or  receipting  methods)  for  moving  data  storage  media  into  and  out  of  the 
SAPF. 

Describe  the  procedures  for  copying,  reviewing,  and  releasing  information  on  data  storage  media. 

Media  Control, 

Describe  the  method  of  controlling  data  storage  media. 

AIS  SECURITY  AWARENESS  PROGRAM 

Discuss  the  Provider's  security  awareness  program. 

Indicate  that  the  AIS  users  are  required  to  sign  a  statement  acknowledging  that  they  have  been  briefed 
on  the  AIS  security  requirements  and  their  responsibilities. 
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Appendix  D 

AIS  Certification  and  Accreditation 


A.  CERTIFICATION 

The  ISSR,  working  jointly  with  the  Customer,  is  responsible  for  coordinating  and  supporting  the  certification  process. 
The  ISSR  is  responsible  for  certifying,  or  coordinating  the  certification  of,  the  AJS  or  network.  Certification,  which  is 
a  prerequisite  for  accreditation,  is  accomplished  as  follows: 

1.  Identify  operational  requirements,  define  the  Mode  of  Operation,  and  identify  applicable  security  requirements, 
in  accordance  with  this  document  and  applicable  documents  referenced  herein, 

2.  Conduct  a  Risk  Management  Review  to  identify  risks  and  needed  countermeasures  and  specify  additional  secu¬ 
rity  requirements  (countermeasures)  based  on  the  review. 

3.  Prepare  an  AISSP.  Refine  the  plan  throughout  the  certification  process. 

4.  Conduct  a  test  and  inspection  to  establish  the  extent  to  which  the  AIS  performs  the  security  functions  needed  to 
support  the  mode  of  operation  and  security  policy  for  the  system  as  outlined  in  the  AISSP.  The  Customer  will 
require  a  written  certification  report, 

5.  Operating  in  the  compartmented  or  multilevel  mode  requires  the  development  of  an  A/S  Technical  Evaluation 
Plan.  After  Customer  concurrence,  accomplish  testing  as  described  herein.  AIS  security  testing  provides  assur¬ 
ance  to  the  Customer  that  the  subject  AIS(s)  or  network(s)  meets  the  security  requirements  for  operating  in  the 
compartmented  or  multilevel  mode.  Such  testing  is  a  prerequisite  for  Customer  accreditation. 

a.  Coordination  Scheduling  and  Testing.  The  security  test  may  be  jointly  conducted  by  the  Provider  and  the  Cus¬ 
tomer, 

b. Testing  Prerequisite.  The  Provider-developed  AIS  Technical  Evaluation  Test  Plan  will  be  coordinated  and/or 
approved  by  the  customer. 

B.  ACCREDITATION 

Accreditation  is  the  Customer’s  authorization  and  approval  for  an  AIS  or  network  to  process  sensitive  data  in  an  oper¬ 
ational  environment.  The  Customer  bases  the  accreditation  on  the  results  of  the  certification  process.  Following  certi¬ 
fication,  the  Customer  reviews  the  risk  assessment,  employed  safeguards,  vulnerabilities,  and  statement  of  level  of 
risk  and  makes  the  accreditation  decision  to  accept  risk  and  grant  approval  to  operate;  grant  interim  approval  to  oper¬ 
ate  (lATO)  and  fix  deficiencies;  or  to  shut-down,  fix  deficiencies,  and  recertify 
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